Context Navigation

source: trunk/src/reglookup-recover.c @ 150

Last change on this file since 150 was 150, checked in by tim, 15 years ago
integrated talloc into most of the rest of the regfi library fixed a length validation issue
Property svn:keywords set to `Id`
File size: 24.3 KB

Line
1	/*
2	* This program attempts to recover deleted data structures in a registry hive.
3	*
4	* Copyright (C) 2008-2009 Timothy D. Morgan
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; version 3 of the License.
9	*
10	* This program is distributed in the hope that it will be useful,
11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	* GNU General Public License for more details.
14	*
15	* You should have received a copy of the GNU General Public License
16	* along with this program; if not, write to the Free Software
17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18	*
19	* $Id: reglookup-recover.c 150 2009-03-02 02:17:46Z tim $
20	*/
21
22	#include <stdio.h>
23	#include <stdlib.h>
24
25	#include "talloc.h"
26	#include "regfi.h"
27	#include "range_list.h"
28	#include "lru_cache.h"
29
30
31	/* Globals, influenced by command line parameters */
32	bool print_verbose = false;
33	bool print_security = false;
34	bool print_header = true;
35	bool print_leftover = false;
36	bool print_parsedraw = false;
37	char* registry_file = NULL;
38
39	#include "common.c"
40
41
42	char* getQuotedData(int fd, uint32 offset, uint32 length)
43	{
44	uint8* buf;
45	char* quoted_buf;
46	uint32 len;
47
48	if((lseek(fd, offset, SEEK_SET)) == -1)
49	return NULL;
50
51	buf = (uint8*)malloc(length);
52	if(buf == NULL)
53	return NULL;
54
55	len = length;
56	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
57	{
58	free(buf);
59	return NULL;
60	}
61
62	quoted_buf = quote_buffer(buf, length, common_special_chars);
63	free(buf);
64
65	return quoted_buf;
66	}
67
68
69	void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix)
70	{
71	char mtime[20];
72	time_t tmp_time[1];
73	struct tm* tmp_time_s = NULL;
74	char* quoted_name = NULL;
75	char* quoted_raw = "";
76
77	*tmp_time = nt_time_to_unix(&nk->mtime);
78	tmp_time_s = gmtime(tmp_time);
79	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
80
81	quoted_name = quote_string(nk->keyname, key_special_chars);
82	if (quoted_name == NULL)
83	{
84	quoted_name = malloc(1*sizeof(char));
85	if(quoted_name == NULL)
86	bailOut(REGLOOKUP_EXIT_OSERR,
87	"ERROR: Could not allocate sufficient memory.\n");
88	quoted_name[0] = '\0';
89
90	fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n",
91	nk->offset);
92	}
93
94	if(print_parsedraw)
95	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
96
97	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
98	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
99
100	if(print_parsedraw)
101	free(quoted_raw);
102	free(quoted_name);
103	}
104
105
106	void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix)
107	{
108	char* quoted_value = NULL;
109	char* quoted_name = NULL;
110	char* quoted_raw = "";
111	char* conv_error = NULL;
112	const char* str_type = NULL;
113	uint32 size = vk->data_size;
114
115	/* Microsoft's documentation indicates that "available memory" is
116	* the limit on value sizes. Annoying. We limit it to 1M which
117	* should rarely be exceeded, unless the file is corrupt or
118	* malicious. For more info, see:
119	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
120	*/
121	/* XXX: Should probably do something different here for this tool.
122	* Also, It would be really nice if this message somehow included the
123	* name of the current value we're having trouble with, since
124	* stderr/stdout don't always sync nicely.
125	*/
126	if(size > REGFI_VK_MAX_DATA_LENGTH)
127	{
128	fprintf(stderr, "WARN: value data size %d larger than "
129	"%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH);
130	size = REGFI_VK_MAX_DATA_LENGTH;
131	}
132
133	quoted_name = quote_string(vk->valuename, key_special_chars);
134	if (quoted_name == NULL)
135	{ /* Value names are NULL when we're looking at the "(default)" value.
136	* Currently we just return a 0-length string to try an eliminate
137	* ambiguity with a literal "(default)" value. The data type of a line
138	* in the output allows one to differentiate between the parent key and
139	* this value.
140	*/
141	quoted_name = malloc(1*sizeof(char));
142	if(quoted_name == NULL)
143	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
144	quoted_name[0] = '\0';
145	}
146
147	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
148	if(quoted_value == NULL)
149	{
150	quoted_value = malloc(1*sizeof(char));
151	if(quoted_value == NULL)
152	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
153	quoted_value[0] = '\0';
154
155	if(conv_error == NULL)
156	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
157	"Memory allocation failure likely.\n", prefix, quoted_name);
158	else if(print_verbose)
159	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
160	"Returned error: %s\n", prefix, quoted_name, conv_error);
161	}
162	/* XXX: should these always be printed? */
163	else if(conv_error != NULL && print_verbose)
164	fprintf(stderr, "INFO: While quoting value for '%s/%s', "
165	"warning returned: %s\n", prefix, quoted_name, conv_error);
166
167
168	if(print_parsedraw)
169	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
170
171	str_type = regfi_type_val2str(vk->type);
172	if(str_type == NULL)
173	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
174	vk->offset, vk->cell_size, prefix, quoted_name,
175	vk->type, quoted_value, vk->data_size, quoted_raw);
176	else
177	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
178	vk->offset, vk->cell_size, prefix, quoted_name,
179	str_type, quoted_value, vk->data_size, quoted_raw);
180
181	if(print_parsedraw)
182	free(quoted_raw);
183	if(quoted_value != NULL)
184	free(quoted_value);
185	if(quoted_name != NULL)
186	free(quoted_name);
187	if(conv_error != NULL)
188	free(conv_error);
189	}
190
191
192	void printSK(REGFI_FILE* f, REGFI_SK_REC* sk)
193	{
194	char* quoted_raw = NULL;
195	char* empty_str = "";
196	char* owner = regfi_get_owner(sk->sec_desc);
197	char* group = regfi_get_group(sk->sec_desc);
198	char* sacl = regfi_get_sacl(sk->sec_desc);
199	char* dacl = regfi_get_dacl(sk->sec_desc);
200
201	if(print_parsedraw)
202	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
203
204	if(owner == NULL)
205	owner = empty_str;
206	if(group == NULL)
207	group = empty_str;
208	if(sacl == NULL)
209	sacl = empty_str;
210	if(dacl == NULL)
211	dacl = empty_str;
212
213	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
214	owner, group, sacl, dacl, quoted_raw);
215
216	if(owner != empty_str)
217	free(owner);
218	if(group != empty_str)
219	free(group);
220	if(sacl != empty_str)
221	free(sacl);
222	if(dacl != empty_str)
223	free(dacl);
224
225	if(print_parsedraw)
226	free(quoted_raw);
227	}
228
229
230	int printCell(REGFI_FILE* f, uint32 offset)
231	{
232	char* quoted_buf;
233	uint32 cell_length;
234	bool unalloc;
235
236	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
237	return 1;
238
239	quoted_buf = getQuotedData(f->fd, offset, cell_length);
240	if(quoted_buf == NULL)
241	return 2;
242
243	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
244
245	free(quoted_buf);
246	return 0;
247	}
248
249
250	/* This function returns a properly quoted parent path or partial parent
251	* path for a given key. Returns NULL on error, "" if no path was available.
252	* Paths returned must be free()d.
253	*/
254	/* XXX: This is not terribly efficient, as it may reparse many keys
255	* repeatedly. Should try to add caching.
256	*/
257	char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk)
258	{
259	void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH);
260	const REGFI_HBIN* hbin;
261	REGFI_NK_REC* cur_ancestor;
262	char* ret_val;
263	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_used;
264	uint32 max_length;
265	/* A little hack so we don't have to walk a quoted string twice. */
266	struct name_holder
267	{
268	char* quoted_name;
269	uint32_t length;
270	};
271	struct name_holder* path_element;
272
273
274	/* The path_stack size limit should guarantee that we don't recurse forever. */
275	virt_offset = nk->parent_off;
276	ret_val_size = 1; /* NUL */
277	while(virt_offset != REGFI_OFFSET_NONE)
278	{
279	hbin = regfi_lookup_hbin(f, virt_offset);
280	if(hbin == NULL)
281	virt_offset = REGFI_OFFSET_NONE;
282	else
283	{
284	max_length = hbin->block_size + hbin->file_off
285	- (virt_offset+REGFI_REGF_SIZE);
286	cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE,
287	max_length, true);
288	printMsgs(f);
289
290	if(cur_ancestor == NULL)
291	virt_offset = REGFI_OFFSET_NONE;
292	else
293	{
294	if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1)
295	\|\| (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2))
296	virt_offset = REGFI_OFFSET_NONE;
297	else
298	virt_offset = cur_ancestor->parent_off;
299
300	path_element = talloc(path_stack, struct name_holder);
301	if(path_element != NULL)
302	path_element->quoted_name = quote_string(cur_ancestor->keyname,
303	key_special_chars);
304
305	if(path_element == NULL \|\| path_element->quoted_name == NULL
306	\|\| !void_stack_push(path_stack, path_element))
307	{
308	/* XXX: Need to add a warning here */
309	regfi_free_key(cur_ancestor);
310	void_stack_free(path_stack);
311	return NULL;
312	}
313
314	/* Path element and preceeding delimiter
315	* Note that this integer can't overflow since key name lengths are
316	* 16 bits and the max depth is 512.
317	*/
318	path_element->length = strlen(path_element->quoted_name);
319	ret_val_size += path_element->length + 1;
320
321	regfi_free_key(cur_ancestor);
322	}
323	}
324	}
325
326	stack_size = void_stack_size(path_stack);
327	ret_val_used = 0;
328	ret_val = malloc(ret_val_size);
329	if(ret_val == NULL)
330	{
331	void_stack_free(path_stack);
332	return NULL;
333	}
334	ret_val[0] = '\0';
335
336	for(i=0; i<stack_size; i++)
337	{
338	path_element = void_stack_pop(path_stack);
339	snprintf(ret_val+ret_val_used, ret_val_size-ret_val_used,
340	"/%s", path_element->quoted_name);
341	ret_val_used += path_element->length + 1;
342	free(path_element->quoted_name);
343	talloc_free(path_element);
344	}
345	void_stack_free(path_stack);
346
347	return ret_val;
348	}
349
350
351	static void usage(void)
352	{
353	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
354	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
355	fprintf(stderr, "Options:\n");
356	fprintf(stderr, "\t-v\t sets verbose mode.\n");
357	fprintf(stderr, "\t-h\t enables header row. (default)\n");
358	fprintf(stderr, "\t-H\t disables header row.\n");
359	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
360	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
361	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
362	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
363	fprintf(stderr, "\n");
364	}
365
366
367	bool removeRange(range_list* rl, uint32 offset, uint32 length)
368	{
369	int32 rm_idx;
370	const range_list_element* cur_elem;
371
372	rm_idx = range_list_find(rl, offset);
373	if(rm_idx < 0)
374	{
375	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
376	return false;
377	}
378
379	cur_elem = range_list_get(rl, rm_idx);
380	if(cur_elem == NULL)
381	{
382	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
383	return false;
384	}
385
386	if(offset > cur_elem->offset)
387	{
388	if(!range_list_split_element(rl, rm_idx, offset))
389	{
390	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
391	return false;
392	}
393	rm_idx++;
394	cur_elem = range_list_get(rl, rm_idx);
395	if(cur_elem == NULL)
396	{
397	fprintf(stderr,
398	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
399	rm_idx);
400	return false;
401	}
402	}
403
404	if(offset+length < cur_elem->offset+cur_elem->length)
405	{
406	if(!range_list_split_element(rl, rm_idx, offset+length))
407	{
408	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
409	return false;
410	}
411	}
412
413	if(!range_list_remove(rl, rm_idx))
414	{
415	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
416	return false;
417	}
418
419	return true;
420	}
421
422
423	int extractVKs(REGFI_FILE* f,
424	range_list* unalloc_cells,
425	range_list* unalloc_values)
426	{
427	const range_list_element* cur_elem;
428	REGFI_VK_REC* vk;
429	uint32 i, j;
430
431	for(i=0; i < range_list_size(unalloc_cells); i++)
432	{
433	printMsgs(f);
434	cur_elem = range_list_get(unalloc_cells, i);
435	for(j=0; j <= cur_elem->length; j+=8)
436	{
437	vk = regfi_parse_vk(f, cur_elem->offset+j,
438	cur_elem->length-j, false);
439	printMsgs(f);
440
441	if(vk != NULL)
442	{
443	if(!range_list_add(unalloc_values, vk->offset,
444	vk->cell_size, vk))
445	{
446	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
447	return 20;
448	}
449	j+=vk->cell_size-8;
450	}
451	}
452	}
453
454	/* Remove value ranges from the unalloc_cells before we continue. */
455	for(i=0; i<range_list_size(unalloc_values); i++)
456	{
457	cur_elem = range_list_get(unalloc_values, i);
458	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
459	return 30;
460	}
461
462	return 0;
463	}
464
465
466	int extractDataCells(REGFI_FILE* f,
467	range_list* unalloc_cells,
468	range_list* unalloc_values)
469	{
470	const range_list_element* cur_elem;
471	REGFI_VK_REC* vk;
472	const REGFI_HBIN* hbin;
473	uint32 i, off, data_offset, data_maxsize;
474
475	for(i=0; i<range_list_size(unalloc_values); i++)
476	{
477	cur_elem = range_list_get(unalloc_values, i);
478	vk = (REGFI_VK_REC*)cur_elem->data;
479	if(vk == NULL)
480	return 40;
481
482	if(vk->data_size == 0)
483	vk->data = NULL;
484	else
485	{
486	off = vk->data_off+REGFI_REGF_SIZE;
487
488	if(vk->data_in_offset)
489	{
490	vk->data = regfi_parse_data(f, vk->type, vk->data_off,
491	vk->data_size, 4,
492	vk->data_in_offset, false);
493	}
494	else if(range_list_has_range(unalloc_cells, off, vk->data_size))
495	{
496	hbin = regfi_lookup_hbin(f, vk->data_off);
497	if(hbin)
498	{
499	data_offset = vk->data_off+REGFI_REGF_SIZE;
500	data_maxsize = hbin->block_size + hbin->file_off - data_offset;
501	vk->data = regfi_parse_data(f, vk->type, data_offset,
502	vk->data_size, data_maxsize,
503	vk->data_in_offset, false);
504	if(vk->data != NULL)
505	{
506	/* XXX: This strict checking prevents partial recovery of data
507	* cells. Also, see code for regfi_parse_data and note that
508	* lengths indicated in VK records are sometimes just plain
509	* wrong. Need a feedback mechanism to be more fuzzy with
510	* data cell lengths and the ranges removed.
511	*/
512	/* A data record was recovered. Remove from unalloc_cells. */
513	if(!removeRange(unalloc_cells, off, vk->data_size))
514	return 50;
515	}
516	}
517	else
518	vk->data = NULL;
519	}
520	}
521	}
522
523	return 0;
524	}
525
526
527	/* NOTE: unalloc_keys should be an empty range_list. */
528	int extractKeys(REGFI_FILE* f,
529	range_list* unalloc_cells,
530	range_list* unalloc_keys)
531	{
532	const range_list_element* cur_elem;
533	REGFI_NK_REC* key;
534	uint32 i, j;
535	int error_code = 0;
536
537	for(i=0; i < range_list_size(unalloc_cells); i++)
538	{
539	printMsgs(f);
540	cur_elem = range_list_get(unalloc_cells, i);
541	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
542	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
543	{
544	key = regfi_parse_nk(f, cur_elem->offset+j,
545	cur_elem->length-j, false);
546	printMsgs(f);
547
548	if(key != NULL)
549	{
550	if(!range_list_add(unalloc_keys, key->offset,
551	key->cell_size, key))
552	{
553	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
554	error_code = 20;
555	goto fail;
556	}
557	talloc_steal(unalloc_keys, key);
558	j+=key->cell_size-8;
559	}
560	}
561	}
562
563	for(i=0; i<range_list_size(unalloc_keys); i++)
564	{
565	cur_elem = range_list_get(unalloc_keys, i);
566	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
567	{
568	error_code = 30;
569	goto fail;
570	}
571	}
572
573	return 0;
574
575	fail:
576	regfi_free_key(key);
577	return error_code;
578	}
579
580	int extractValueLists(REGFI_FILE* f,
581	range_list* unalloc_cells,
582	range_list* unalloc_keys,
583	range_list* unalloc_linked_values)
584	{
585	REGFI_NK_REC* nk;
586	REGFI_VK_REC* vk;
587	const REGFI_HBIN* hbin;
588	const range_list_element* cur_elem;
589	uint32 i, j, num_keys, off, values_length, max_length;
590
591	num_keys=range_list_size(unalloc_keys);
592	for(i=0; i<num_keys; i++)
593	{
594	cur_elem = range_list_get(unalloc_keys, i);
595	if(cur_elem == NULL)
596	return 10;
597	nk = cur_elem->data;
598
599	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
600	{
601	hbin = regfi_lookup_hbin(f, nk->values_off);
602
603	if(hbin != NULL)
604	{
605	off = nk->values_off + REGFI_REGF_SIZE;
606	max_length = hbin->block_size + hbin->file_off - off;
607	nk->values = regfi_load_valuelist(f, off, nk->num_values,
608	max_length, false);
609	if(nk->values != NULL && nk->values->elements != NULL)
610	{
611	/* Number of elements in the value list may be shorter than advertised
612	* by NK record due to cell truncation. We'll consider this valid and
613	* only throw out the whole value list if it bleeds into an already
614	* parsed structure.
615	*/
616	values_length = (nk->values->num_values+1)*sizeof(uint32);
617	if(values_length != (values_length & 0xFFFFFFF8))
618	values_length = (values_length & 0xFFFFFFF8) + 8;
619
620	if(!range_list_has_range(unalloc_cells, off, values_length))
621	{ /* We've parsed a values-list which isn't in the unallocated list,
622	* so prune it.
623	*/
624	talloc_free(nk->values);
625	nk->values = NULL;
626	}
627	else
628	{ /* Values-list was recovered. Remove from unalloc_cells and
629	* inspect values.
630	*/
631	if(!removeRange(unalloc_cells, off, values_length))
632	return 20;
633
634	for(j=0; j < nk->values->num_values; j++)
635	{
636	/* Don't bother to restrict cell length here, since we'll
637	* check our unalloc_cells range_list later.
638	*/
639	vk = regfi_parse_vk(f, nk->values->elements[j]+REGFI_REGF_SIZE,
640	0x7FFFFFFF, false);
641	printMsgs(f);
642
643	if(vk != NULL)
644	{
645	if(range_list_has_range(unalloc_cells,
646	vk->offset, vk->cell_size))
647	{
648	if(!range_list_add(unalloc_linked_values, vk->offset,
649	vk->cell_size, vk))
650	{
651	talloc_free(vk);
652	return 30;
653	}
654
655	if(!removeRange(unalloc_cells, vk->offset, vk->cell_size))
656	return 40;
657	}
658	else
659	talloc_free(vk);
660	}
661	}
662	}
663	}
664	}
665	}
666	}
667
668	return 0;
669	}
670
671
672
673	/* NOTE: unalloc_sks should be an empty range_list. */
674	int extractSKs(REGFI_FILE* f,
675	range_list* unalloc_cells,
676	range_list* unalloc_sks)
677	{
678	const range_list_element* cur_elem;
679	REGFI_SK_REC* sk;
680	uint32 i, j;
681
682	for(i=0; i < range_list_size(unalloc_cells); i++)
683	{
684	printMsgs(f);
685	cur_elem = range_list_get(unalloc_cells, i);
686	for(j=0; j <= cur_elem->length; j+=8)
687	{
688	sk = regfi_parse_sk(f, cur_elem->offset+j,
689	cur_elem->length-j, false);
690	printMsgs(f);
691
692	if(sk != NULL)
693	{
694	if(!range_list_add(unalloc_sks, sk->offset,
695	sk->cell_size, sk))
696	{
697	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
698	return 20;
699	}
700	talloc_steal(unalloc_sks, sk);
701	j+=sk->cell_size-8;
702	}
703	}
704	}
705
706	for(i=0; i<range_list_size(unalloc_sks); i++)
707	{
708	cur_elem = range_list_get(unalloc_sks, i);
709	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
710	return 30;
711	}
712
713	return 0;
714	}
715
716
717	int main(int argc, char** argv)
718	{
719	REGFI_FILE* f;
720	const range_list_element* cur_elem;
721	range_list* unalloc_cells;
722	range_list* unalloc_keys;
723	range_list* unalloc_linked_values;
724	range_list* unalloc_values;
725	range_list* unalloc_sks;
726	char** parent_paths;
727	char* tmp_name;
728	char* tmp_path;
729	REGFI_NK_REC* tmp_key;
730	REGFI_VK_REC* tmp_value;
731	uint32 argi, arge, i, j, ret, num_unalloc_keys;
732
733	/* Process command line arguments */
734	if(argc < 2)
735	{
736	usage();
737	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
738	}
739
740	arge = argc-1;
741	for(argi = 1; argi < arge; argi++)
742	{
743	if (strcmp("-v", argv[argi]) == 0)
744	print_verbose = true;
745	else if (strcmp("-h", argv[argi]) == 0)
746	print_header = true;
747	else if (strcmp("-H", argv[argi]) == 0)
748	print_header = false;
749	else if (strcmp("-l", argv[argi]) == 0)
750	print_leftover = true;
751	else if (strcmp("-L", argv[argi]) == 0)
752	print_leftover = false;
753	else if (strcmp("-r", argv[argi]) == 0)
754	print_parsedraw = true;
755	else if (strcmp("-R", argv[argi]) == 0)
756	print_parsedraw = false;
757	else
758	{
759	usage();
760	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
761	bailOut(REGLOOKUP_EXIT_USAGE, "");
762	}
763	}
764	/test_offset = strtol(argv[argi++], NULL, 16);/
765
766	if((registry_file = strdup(argv[argi])) == NULL)
767	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
768
769	f = regfi_open(registry_file);
770	if(f == NULL)
771	{
772	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
773	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
774	}
775	if(print_verbose)
776	regfi_set_message_mask(f, REGFI_MSG_ERROR\|REGFI_MSG_WARN\|REGFI_MSG_INFO);
777	else
778	regfi_set_message_mask(f, REGFI_MSG_ERROR);
779
780	if(print_header)
781	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
782	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
783	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
784
785	unalloc_cells = regfi_parse_unalloc_cells(f);
786	if(unalloc_cells == NULL)
787	{
788	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
789	return 1;
790	}
791
792	unalloc_keys = range_list_new();
793	if(unalloc_keys == NULL)
794	return 10;
795
796	unalloc_linked_values = range_list_new();
797	if(unalloc_linked_values == NULL)
798	return 10;
799
800	unalloc_values = range_list_new();
801	if(unalloc_values == NULL)
802	return 10;
803
804	unalloc_sks = range_list_new();
805	if(unalloc_sks == NULL)
806	return 10;
807
808	ret = extractKeys(f, unalloc_cells, unalloc_keys);
809	if(ret != 0)
810	{
811	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
812	return ret;
813	}
814
815	ret = extractValueLists(f, unalloc_cells, unalloc_keys,unalloc_linked_values);
816	if(ret != 0)
817	{
818	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
819	return ret;
820	}
821
822	/* Carve any orphan values */
823	ret = extractVKs(f, unalloc_cells, unalloc_values);
824	if(ret != 0)
825	{
826	fprintf(stderr, "ERROR: extractVKs() failed with %d.\n", ret);
827	return ret;
828	}
829
830	/* Carve any data associated with VK records */
831	ret = extractDataCells(f, unalloc_cells, unalloc_linked_values);
832	if(ret != 0)
833	{
834	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
835	return ret;
836	}
837	ret = extractDataCells(f, unalloc_cells, unalloc_values);
838	if(ret != 0)
839	{
840	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
841	return ret;
842	}
843
844	/* Carve any SK records */
845	ret = extractSKs(f, unalloc_cells, unalloc_sks);
846	if(ret != 0)
847	{
848	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
849	return ret;
850	}
851
852	/* Now that we're done carving, associate recovered keys with parents,
853	* if at all possible.
854	*/
855	num_unalloc_keys = range_list_size(unalloc_keys);
856	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
857	if(parent_paths == NULL)
858	return 10;
859
860	for(i=0; i < num_unalloc_keys; i++)
861	{
862	cur_elem = range_list_get(unalloc_keys, i);
863	tmp_key = (REGFI_NK_REC*)cur_elem->data;
864
865	if(tmp_key == NULL)
866	return 20;
867
868	parent_paths[i] = getParentPath(f, tmp_key);
869	if(parent_paths[i] == NULL)
870	return 20;
871	}
872
873	/* Now start the output */
874	for(i=0; i < num_unalloc_keys; i++)
875	{
876	cur_elem = range_list_get(unalloc_keys, i);
877	tmp_key = (REGFI_NK_REC*)cur_elem->data;
878
879	printKey(f, tmp_key, parent_paths[i]);
880	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
881	{
882	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
883	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
884	if(tmp_path == NULL)
885	{
886	free(tmp_name);
887	return 10;
888	}
889
890	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
891	for(j=0; j < tmp_key->values->num_values; j++)
892	{
893	tmp_value =
894	(REGFI_VK_REC*)range_list_find_data(unalloc_linked_values,
895	tmp_key->values->elements[j]
896	+ REGFI_REGF_SIZE);
897	if(tmp_value != NULL)
898	printValue(f, tmp_value, tmp_path);
899	}
900	free(tmp_path);
901	free(tmp_name);
902	free(parent_paths[i]);
903	}
904	}
905	free(parent_paths);
906
907	/* Print out orphaned values */
908	for(i=0; i < range_list_size(unalloc_values); i++)
909	{
910	cur_elem = range_list_get(unalloc_values, i);
911	tmp_value = (REGFI_VK_REC*)cur_elem->data;
912
913	printValue(f, tmp_value, "");
914	}
915
916	if(print_leftover)
917	{
918	for(i=0; i < range_list_size(unalloc_cells); i++)
919	{
920	cur_elem = range_list_get(unalloc_cells, i);
921	printCell(f, cur_elem->offset);
922	}
923	}
924
925	range_list_free(unalloc_cells);
926	range_list_free(unalloc_keys);
927	range_list_free(unalloc_linked_values);
928	range_list_free(unalloc_values);
929	range_list_free(unalloc_sks);
930
931	return 0;
932	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: