Context Navigation

source: trunk/src/reglookup.c @ 160

Last change on this file since 160 was 160, checked in by tim, 14 years ago
reorganized classname parsing and interpretation code
Property svn:keywords set to `Id`
File size: 16.6 KB

Line
1	/*
2	* A utility to read a Windows NT and later registry files.
3	*
4	* Copyright (C) 2005-2009 Timothy D. Morgan
5	* Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; version 3 of the License.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, write to the Free Software
18	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19	*
20	* $Id: reglookup.c 160 2009-12-07 01:00:58Z tim $
21	*/
22
23
24	#include <stdlib.h>
25	#include <stdio.h>
26	#include <string.h>
27	#include <strings.h>
28	#include <time.h>
29	#include "regfi.h"
30	#include "void_stack.h"
31
32	/* Globals, influenced by command line parameters */
33	bool print_verbose = false;
34	bool print_security = false;
35	bool print_header = true;
36	bool path_filter_enabled = false;
37	bool type_filter_enabled = false;
38	char* path_filter = NULL;
39	int type_filter;
40	char* registry_file = NULL;
41
42	/* Other globals */
43	REGFI_FILE* f;
44
45
46	/* XXX: A hack to share some functions with reglookup-recover.c.
47	* Should move these into a proper library at some point.
48	*/
49	#include "common.c"
50
51
52	void printValue(REGFI_ITERATOR* iter, const REGFI_VK_REC* vk, char* prefix)
53	{
54	REGFI_DATA* data;
55	char* quoted_value = NULL;
56	char* quoted_name = NULL;
57	char* conv_error = NULL;
58	const char* str_type = NULL;
59
60	quoted_name = quote_string(vk->valuename, key_special_chars);
61	if (quoted_name == NULL)
62	{ /* Value names are NULL when we're looking at the "(default)" value.
63	* Currently we just return a 0-length string to try an eliminate
64	* ambiguity with a literal "(default)" value. The data type of a line
65	* in the output allows one to differentiate between the parent key and
66	* this value.
67	*/
68	quoted_name = malloc(1*sizeof(char));
69	if(quoted_name == NULL)
70	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
71	quoted_name[0] = '\0';
72	}
73
74	data = regfi_iterator_fetch_data(iter, vk);
75
76	printMsgs(iter->f);
77	if(data != NULL)
78	{
79	quoted_value = data_to_ascii(data, &conv_error);
80	if(quoted_value == NULL)
81	{
82	if(conv_error == NULL)
83	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
84	"Memory allocation failure likely.\n", prefix, quoted_name);
85	else
86	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
87	"Returned error: %s\n", prefix, quoted_name, conv_error);
88	}
89	else if(conv_error != NULL)
90	fprintf(stderr, "WARN: While quoting value for '%s/%s', "
91	"warning returned: %s\n", prefix, quoted_name, conv_error);
92	regfi_free_data(data);
93	}
94
95	str_type = regfi_type_val2str(vk->type);
96	if(print_security)
97	{
98	if(str_type == NULL)
99	printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
100	vk->type, quoted_value);
101	else
102	printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
103	str_type, quoted_value);
104	}
105	else
106	{
107	if(str_type == NULL)
108	printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
109	vk->type, quoted_value);
110	else
111	printf("%s/%s,%s,%s,\n", prefix, quoted_name,
112	str_type, quoted_value);
113	}
114
115	if(quoted_value != NULL)
116	free(quoted_value);
117	if(quoted_name != NULL)
118	free(quoted_name);
119	if(conv_error != NULL)
120	free(conv_error);
121	}
122
123
124	char** splitPath(const char* s)
125	{
126	char** ret_val;
127	const char* cur = s;
128	char* next = NULL;
129	char* copy;
130	uint32 ret_cur = 0;
131
132	ret_val = (char*)malloc((REGFI_MAX_DEPTH+1+1)sizeof(char**));
133	if (ret_val == NULL)
134	return NULL;
135	ret_val[0] = NULL;
136
137	/* We return a well-formed, 0-length, path even when input is icky. */
138	if (s == NULL)
139	return ret_val;
140
141	while((next = strchr(cur, '/')) != NULL)
142	{
143	if ((next-cur) > 0)
144	{
145	copy = (char)malloc((next-cur+1)sizeof(char));
146	if(copy == NULL)
147	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
148
149	memcpy(copy, cur, next-cur);
150	copy[next-cur] = '\0';
151	ret_val[ret_cur++] = copy;
152	if(ret_cur < (REGFI_MAX_DEPTH+1+1))
153	ret_val[ret_cur] = NULL;
154	else
155	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
156	}
157	cur = next+1;
158	}
159
160	/* Grab last element, if path doesn't end in '/'. */
161	if(strlen(cur) > 0)
162	{
163	copy = strdup(cur);
164	ret_val[ret_cur++] = copy;
165	if(ret_cur < (REGFI_MAX_DEPTH+1+1))
166	ret_val[ret_cur] = NULL;
167	else
168	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
169	}
170
171	return ret_val;
172	}
173
174
175	void freePath(char** path)
176	{
177	uint32 i;
178
179	if(path == NULL)
180	return;
181
182	for(i=0; path[i] != NULL; i++)
183	free(path[i]);
184
185	free(path);
186	}
187
188
189	/* Returns a quoted path from an iterator's stack */
190	char* iter2Path(REGFI_ITERATOR* i)
191	{
192	const REGFI_ITER_POSITION* cur;
193	uint32 buf_left = 127;
194	uint32 buf_len = buf_left+1;
195	uint32 name_len = 0;
196	uint32 grow_amt;
197	char* buf;
198	char* new_buf;
199	char* name;
200	const char* cur_name;
201	void_stack_iterator* iter;
202
203	buf = (char)malloc((buf_len)sizeof(char));
204	if (buf == NULL)
205	return NULL;
206	buf[0] = '\0';
207
208	iter = void_stack_iterator_new(i->key_positions);
209	if (iter == NULL)
210	{
211	free(buf);
212	return NULL;
213	}
214
215	/* skip root element */
216	if(void_stack_size(i->key_positions) < 1)
217	{
218	buf[0] = '/';
219	buf[1] = '\0';
220	return buf;
221	}
222	cur = void_stack_iterator_next(iter);
223
224	do
225	{
226	cur = void_stack_iterator_next(iter);
227	if (cur == NULL)
228	cur_name = i->cur_key->keyname;
229	else
230	cur_name = cur->nk->keyname;
231
232	buf[buf_len-buf_left-1] = '/';
233	buf_left -= 1;
234	name = quote_string(cur_name, key_special_chars);
235	name_len = strlen(name);
236	if(name_len+1 > buf_left)
237	{
238	grow_amt = (uint32)(buf_len/2);
239	buf_len += name_len+1+grow_amt-buf_left;
240	if((new_buf = realloc(buf, buf_len)) == NULL)
241	{
242	free(name);
243	free(buf);
244	free(iter);
245	return NULL;
246	}
247	buf = new_buf;
248	buf_left = grow_amt + name_len + 1;
249	}
250	strncpy(buf+(buf_len-buf_left-1), name, name_len);
251	buf_left -= name_len;
252	buf[buf_len-buf_left-1] = '\0';
253	free(name);
254	} while(cur != NULL);
255
256	return buf;
257	}
258
259
260	void printValueList(REGFI_ITERATOR* iter, char* prefix)
261	{
262	REGFI_VK_REC* value;
263
264	value = regfi_iterator_first_value(iter);
265	while(value != NULL)
266	{
267	if(!type_filter_enabled \|\| (value->type == type_filter))
268	printValue(iter, value, prefix);
269	regfi_free_value(value);
270	value = regfi_iterator_next_value(iter);
271	printMsgs(iter->f);
272	}
273	}
274
275
276	void printKey(REGFI_ITERATOR* iter, char* full_path)
277	{
278	static char empty_str[1] = "";
279	char* owner = NULL;
280	char* group = NULL;
281	char* sacl = NULL;
282	char* dacl = NULL;
283	char* quoted_classname;
284	char mtime[20];
285	time_t tmp_time[1];
286	struct tm* tmp_time_s = NULL;
287	const REGFI_SK_REC* sk;
288	const REGFI_NK_REC* k = regfi_iterator_cur_key(iter);
289	REGFI_CLASSNAME* classname;
290
291	*tmp_time = nt_time_to_unix(&k->mtime);
292	tmp_time_s = gmtime(tmp_time);
293	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
294
295	if(print_security && (sk=regfi_iterator_cur_sk(iter)))
296	{
297	owner = regfi_get_owner(sk->sec_desc);
298	group = regfi_get_group(sk->sec_desc);
299	sacl = regfi_get_sacl(sk->sec_desc);
300	dacl = regfi_get_dacl(sk->sec_desc);
301	if(owner == NULL)
302	owner = empty_str;
303	if(group == NULL)
304	group = empty_str;
305	if(sacl == NULL)
306	sacl = empty_str;
307	if(dacl == NULL)
308	dacl = empty_str;
309
310	classname = regfi_iterator_fetch_classname(iter, k);
311	printMsgs(iter->f);
312	if(classname != NULL)
313	{
314	if(classname->interpreted == NULL)
315	{
316	fprintf(stderr, "WARN: Could not convert class name"
317	" charset for key '%s'. Quoting raw...\n", full_path);
318	quoted_classname = quote_buffer(classname->raw, classname->size,
319	key_special_chars);
320	}
321	else
322	quoted_classname = quote_string(classname->interpreted,
323	key_special_chars);
324
325	if(quoted_classname == NULL)
326	{
327	fprintf(stderr, "ERROR: Could not quote classname"
328	" for key '%s' due to unknown error.\n", full_path);
329	quoted_classname = empty_str;
330	}
331	}
332	else
333	quoted_classname = empty_str;
334	regfi_free_classname(classname);
335
336	printMsgs(iter->f);
337	printf("%s,KEY,,%s,%s,%s,%s,%s,%s\n", full_path, mtime,
338	owner, group, sacl, dacl, quoted_classname);
339
340	if(owner != empty_str)
341	free(owner);
342	if(group != empty_str)
343	free(group);
344	if(sacl != empty_str)
345	free(sacl);
346	if(dacl != empty_str)
347	free(dacl);
348	if(quoted_classname != empty_str)
349	free(quoted_classname);
350	}
351	else
352	printf("%s,KEY,,%s\n", full_path, mtime);
353	}
354
355
356	void printKeyTree(REGFI_ITERATOR* iter)
357	{
358	const REGFI_NK_REC* root = NULL;
359	const REGFI_NK_REC* cur = NULL;
360	REGFI_NK_REC* sub = NULL;
361	char* path = NULL;
362	int key_type = regfi_type_str2val("KEY");
363	bool print_this = true;
364
365	root = cur = regfi_iterator_cur_key(iter);
366	sub = regfi_iterator_first_subkey(iter);
367	printMsgs(iter->f);
368
369	if(root == NULL)
370	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: root cannot be NULL.\n");
371
372	do
373	{
374	if(print_this)
375	{
376	path = iter2Path(iter);
377	if(path == NULL)
378	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not construct iterator's path.\n");
379
380	if(!type_filter_enabled \|\| (key_type == type_filter))
381	printKey(iter, path);
382	if(!type_filter_enabled \|\| (key_type != type_filter))
383	printValueList(iter, path);
384
385	free(path);
386	}
387
388	if(sub == NULL)
389	{
390	if(cur != root)
391	{
392	/* We're done with this sub-tree, going up and hitting other branches. */
393	if(!regfi_iterator_up(iter))
394	{
395	printMsgs(iter->f);
396	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator upward.\n");
397	}
398
399	cur = regfi_iterator_cur_key(iter);
400	if(cur == NULL)
401	{
402	printMsgs(iter->f);
403	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: unexpected NULL for key.\n");
404	}
405
406	sub = regfi_iterator_next_subkey(iter);
407	}
408	print_this = false;
409	}
410	else
411	{ /* We have unexplored sub-keys.
412	* Let's move down and print this first sub-tree out.
413	*/
414	if(!regfi_iterator_down(iter))
415	{
416	printMsgs(iter->f);
417	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator downward.\n");
418	}
419
420	cur = regfi_iterator_cur_key(iter);
421	regfi_free_key(sub);
422	sub = regfi_iterator_first_subkey(iter);
423	print_this = true;
424	}
425	printMsgs(iter->f);
426	} while(!((cur == root) && (sub == NULL)));
427
428	if(print_verbose)
429	fprintf(stderr, "INFO: Finished printing key tree.\n");
430	}
431
432
433	/* XXX: What if there is BOTH a value AND a key with that name??
434	* What if there are multiple keys/values with the same name??
435	*/
436	/*
437	* Returns 0 if path was not found.
438	* Returns 1 if path was found as value.
439	* Returns 2 if path was found as key.
440	* Returns less than 0 on other error.
441	*/
442	int retrievePath(REGFI_ITERATOR* iter, char** path)
443	{
444	REGFI_VK_REC* value;
445	char* tmp_path_joined;
446	const char** tmp_path;
447	uint32 i;
448
449	if(path == NULL)
450	return -1;
451
452	/* One extra for any value at the end, and one more for NULL */
453	tmp_path = (const char)malloc(sizeof(const char)*(REGFI_MAX_DEPTH+1+1));
454	if(tmp_path == NULL)
455	return -2;
456
457	/* Strip any potential value name at end of path */
458	for(i=0;
459	(path[i] != NULL) && (path[i+1] != NULL) && (i < REGFI_MAX_DEPTH+1);
460	i++)
461	{ tmp_path[i] = path[i]; }
462	tmp_path[i] = NULL;
463
464	if(print_verbose)
465	fprintf(stderr, "INFO: Attempting to retrieve specified path: %s\n",
466	path_filter);
467
468	/* Special check for '/' path filter */
469	if(path[0] == NULL)
470	{
471	if(print_verbose)
472	fprintf(stderr, "INFO: Found final path element as root key.\n");
473	free(tmp_path);
474	return 2;
475	}
476
477	if(!regfi_iterator_walk_path(iter, tmp_path))
478	{
479	printMsgs(iter->f);
480	free(tmp_path);
481	return 0;
482	}
483
484	if(regfi_iterator_find_value(iter, path[i]))
485	{
486	if(print_verbose)
487	fprintf(stderr, "INFO: Found final path element as value.\n");
488
489	value = regfi_iterator_cur_value(iter);
490	printMsgs(iter->f);
491	tmp_path_joined = iter2Path(iter);
492
493	if((value == NULL) \|\| (tmp_path_joined == NULL))
494	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Unexpected error before printValue.\n");
495
496	if(!type_filter_enabled \|\| (value->type == type_filter))
497	printValue(iter, value, tmp_path_joined);
498
499	regfi_free_value(value);
500	free(tmp_path);
501	free(tmp_path_joined);
502	return 1;
503	}
504	else if(regfi_iterator_find_subkey(iter, path[i]))
505	{
506	printMsgs(iter->f);
507	if(print_verbose)
508	fprintf(stderr, "INFO: Found final path element as key.\n");
509
510	if(!regfi_iterator_down(iter))
511	{
512	printMsgs(iter->f);
513	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Unexpected error on traversing path filter key.\n");
514	}
515
516	return 2;
517	}
518	printMsgs(iter->f);
519
520	if(print_verbose)
521	fprintf(stderr, "INFO: Could not find last element of path.\n");
522
523	return 0;
524	}
525
526
527	static void usage(void)
528	{
529	fprintf(stderr, "Usage: reglookup [-v] [-s]"
530	" [-p <PATH_FILTER>] [-t <TYPE_FILTER>]"
531	" <REGISTRY_FILE>\n");
532	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
533	fprintf(stderr, "Options:\n");
534	fprintf(stderr, "\t-v\t sets verbose mode.\n");
535	fprintf(stderr, "\t-h\t enables header row. (default)\n");
536	fprintf(stderr, "\t-H\t disables header row.\n");
537	fprintf(stderr, "\t-s\t enables security descriptor output.\n");
538	fprintf(stderr, "\t-S\t disables security descriptor output. (default)\n");
539	fprintf(stderr, "\t-p\t restrict output to elements below this path.\n");
540	fprintf(stderr, "\t-t\t restrict results to this specific data type.\n");
541	fprintf(stderr, "\n");
542	}
543
544
545	int main(int argc, char** argv)
546	{
547	char** path = NULL;
548	REGFI_ITERATOR* iter;
549	int retr_path_ret;
550	uint32 argi, arge;
551
552	/* Process command line arguments */
553	if(argc < 2)
554	{
555	usage();
556	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
557	}
558
559	arge = argc-1;
560	for(argi = 1; argi < arge; argi++)
561	{
562	if (strcmp("-p", argv[argi]) == 0)
563	{
564	if(++argi >= arge)
565	{
566	usage();
567	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-p' option requires parameter.\n");
568	}
569	if((path_filter = strdup(argv[argi])) == NULL)
570	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
571
572	path_filter_enabled = true;
573	}
574	else if (strcmp("-t", argv[argi]) == 0)
575	{
576	if(++argi >= arge)
577	{
578	usage();
579	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-t' option requires parameter.\n");
580	}
581	if((type_filter = regfi_type_str2val(argv[argi])) < 0)
582	{
583	fprintf(stderr, "ERROR: Invalid type specified: %s.\n", argv[argi]);
584	bailOut(REGLOOKUP_EXIT_USAGE, "");
585	}
586	type_filter_enabled = true;
587	}
588	else if (strcmp("-h", argv[argi]) == 0)
589	print_header = true;
590	else if (strcmp("-H", argv[argi]) == 0)
591	print_header = false;
592	else if (strcmp("-s", argv[argi]) == 0)
593	print_security = true;
594	else if (strcmp("-S", argv[argi]) == 0)
595	print_security = false;
596	else if (strcmp("-v", argv[argi]) == 0)
597	print_verbose = true;
598	else
599	{
600	usage();
601	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
602	bailOut(REGLOOKUP_EXIT_USAGE, "");
603	}
604	}
605	if((registry_file = strdup(argv[argi])) == NULL)
606	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
607
608	f = regfi_open(registry_file);
609	if(f == NULL)
610	{
611	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
612	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
613	}
614
615	if(print_verbose)
616	regfi_set_message_mask(f, REGFI_MSG_INFO\|REGFI_MSG_WARN\|REGFI_MSG_ERROR);
617
618	/* XXX: add command line option to choose output encoding */
619	iter = regfi_iterator_new(f, 0);
620	if(iter == NULL)
621	{
622	printMsgs(f);
623	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Couldn't create registry iterator.\n");
624	}
625
626	if(print_header)
627	{
628	if(print_security)
629	printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL,CLASS\n");
630	else
631	printf("PATH,TYPE,VALUE,MTIME\n");
632	}
633
634	if(path_filter_enabled && path_filter != NULL)
635	path = splitPath(path_filter);
636
637	if(path != NULL)
638	{
639	retr_path_ret = retrievePath(iter, path);
640	printMsgs(iter->f);
641	freePath(path);
642
643	if(retr_path_ret == 0)
644	fprintf(stderr, "WARN: Specified path '%s' not found.\n", path_filter);
645	else if (retr_path_ret == 2)
646	printKeyTree(iter);
647	else if(retr_path_ret < 0)
648	{
649	fprintf(stderr, "ERROR: retrievePath() returned %d.\n",
650	retr_path_ret);
651	bailOut(REGLOOKUP_EXIT_DATAERR,
652	"ERROR: Unknown error occurred in retrieving path.\n");
653	}
654	}
655	else
656	printKeyTree(iter);
657
658	regfi_iterator_free(iter);
659	regfi_close(f);
660
661	return 0;
662	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: