Context Navigation

source: trunk/src/reglookup.c @ 161

Last change on this file since 161 was 161, checked in by tim, 14 years ago
added support for UTF-16LE key names
Property svn:keywords set to `Id`
File size: 16.8 KB

Line
1	/*
2	* A utility to read a Windows NT and later registry files.
3	*
4	* Copyright (C) 2005-2009 Timothy D. Morgan
5	* Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
6	*
7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License as published by
9	* the Free Software Foundation; version 3 of the License.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, write to the Free Software
18	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19	*
20	* $Id: reglookup.c 161 2009-12-07 17:01:22Z tim $
21	*/
22
23
24	#include <stdlib.h>
25	#include <stdio.h>
26	#include <string.h>
27	#include <strings.h>
28	#include <time.h>
29	#include "regfi.h"
30	#include "void_stack.h"
31
32	/* Globals, influenced by command line parameters */
33	bool print_verbose = false;
34	bool print_security = false;
35	bool print_header = true;
36	bool path_filter_enabled = false;
37	bool type_filter_enabled = false;
38	char* path_filter = NULL;
39	int type_filter;
40	char* registry_file = NULL;
41
42	/* Other globals */
43	REGFI_FILE* f;
44
45
46	/* XXX: A hack to share some functions with reglookup-recover.c.
47	* Should move these into a proper library at some point.
48	*/
49	#include "common.c"
50
51
52	void printValue(REGFI_ITERATOR* iter, const REGFI_VK_REC* vk, char* prefix)
53	{
54	REGFI_DATA* data;
55	char* quoted_value = NULL;
56	char* quoted_name = NULL;
57	char* conv_error = NULL;
58	const char* str_type = NULL;
59
60	quoted_name = quote_string(vk->valuename, key_special_chars);
61	if (quoted_name == NULL)
62	{ /* Value names are NULL when we're looking at the "(default)" value.
63	* Currently we just return a 0-length string to try an eliminate
64	* ambiguity with a literal "(default)" value. The data type of a line
65	* in the output allows one to differentiate between the parent key and
66	* this value.
67	*/
68	quoted_name = malloc(1*sizeof(char));
69	if(quoted_name == NULL)
70	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
71	quoted_name[0] = '\0';
72	}
73
74	data = regfi_iterator_fetch_data(iter, vk);
75
76	printMsgs(iter->f);
77	if(data != NULL)
78	{
79	quoted_value = data_to_ascii(data, &conv_error);
80	if(quoted_value == NULL)
81	{
82	if(conv_error == NULL)
83	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
84	"Memory allocation failure likely.\n", prefix, quoted_name);
85	else
86	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
87	"Returned error: %s\n", prefix, quoted_name, conv_error);
88	}
89	else if(conv_error != NULL)
90	fprintf(stderr, "WARN: While quoting value for '%s/%s', "
91	"warning returned: %s\n", prefix, quoted_name, conv_error);
92	regfi_free_data(data);
93	}
94
95	str_type = regfi_type_val2str(vk->type);
96	if(print_security)
97	{
98	if(str_type == NULL)
99	printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
100	vk->type, quoted_value);
101	else
102	printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
103	str_type, quoted_value);
104	}
105	else
106	{
107	if(str_type == NULL)
108	printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
109	vk->type, quoted_value);
110	else
111	printf("%s/%s,%s,%s,\n", prefix, quoted_name,
112	str_type, quoted_value);
113	}
114
115	if(quoted_value != NULL)
116	free(quoted_value);
117	if(quoted_name != NULL)
118	free(quoted_name);
119	if(conv_error != NULL)
120	free(conv_error);
121	}
122
123
124	char** splitPath(const char* s)
125	{
126	char** ret_val;
127	const char* cur = s;
128	char* next = NULL;
129	char* copy;
130	uint32 ret_cur = 0;
131
132	ret_val = (char*)malloc((REGFI_MAX_DEPTH+1+1)sizeof(char**));
133	if (ret_val == NULL)
134	return NULL;
135	ret_val[0] = NULL;
136
137	/* We return a well-formed, 0-length, path even when input is icky. */
138	if (s == NULL)
139	return ret_val;
140
141	while((next = strchr(cur, '/')) != NULL)
142	{
143	if ((next-cur) > 0)
144	{
145	copy = (char)malloc((next-cur+1)sizeof(char));
146	if(copy == NULL)
147	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
148
149	memcpy(copy, cur, next-cur);
150	copy[next-cur] = '\0';
151	ret_val[ret_cur++] = copy;
152	if(ret_cur < (REGFI_MAX_DEPTH+1+1))
153	ret_val[ret_cur] = NULL;
154	else
155	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
156	}
157	cur = next+1;
158	}
159
160	/* Grab last element, if path doesn't end in '/'. */
161	if(strlen(cur) > 0)
162	{
163	copy = strdup(cur);
164	ret_val[ret_cur++] = copy;
165	if(ret_cur < (REGFI_MAX_DEPTH+1+1))
166	ret_val[ret_cur] = NULL;
167	else
168	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
169	}
170
171	return ret_val;
172	}
173
174
175	void freePath(char** path)
176	{
177	uint32 i;
178
179	if(path == NULL)
180	return;
181
182	for(i=0; path[i] != NULL; i++)
183	free(path[i]);
184
185	free(path);
186	}
187
188
189	/* Returns a quoted path from an iterator's stack */
190	char* iter2Path(REGFI_ITERATOR* i)
191	{
192	const REGFI_ITER_POSITION* cur;
193	const REGFI_NK_REC* tmp_key;
194	uint32 buf_left = 127;
195	uint32 buf_len = buf_left+1;
196	uint32 name_len = 0;
197	uint32 grow_amt;
198	char* buf;
199	char* new_buf;
200	char* name;
201	void_stack_iterator* iter;
202
203	buf = (char)malloc((buf_len)sizeof(char));
204	if (buf == NULL)
205	return NULL;
206	buf[0] = '\0';
207
208	iter = void_stack_iterator_new(i->key_positions);
209	if (iter == NULL)
210	{
211	free(buf);
212	return NULL;
213	}
214
215	/* skip root element */
216	if(void_stack_size(i->key_positions) < 1)
217	{
218	buf[0] = '/';
219	buf[1] = '\0';
220	return buf;
221	}
222	cur = void_stack_iterator_next(iter);
223
224	do
225	{
226	cur = void_stack_iterator_next(iter);
227	if (cur == NULL)
228	tmp_key = i->cur_key;
229	else
230	tmp_key = cur->nk;
231
232	if(tmp_key->keyname == NULL)
233	name = quote_buffer(i->cur_key->keyname_raw, i->cur_key->name_length,
234	key_special_chars);
235	else
236	name = quote_string(tmp_key->keyname, key_special_chars);
237
238	buf[buf_len-buf_left-1] = '/';
239	buf_left -= 1;
240	name_len = strlen(name);
241	if(name_len+1 > buf_left)
242	{
243	grow_amt = (uint32)(buf_len/2);
244	buf_len += name_len+1+grow_amt-buf_left;
245	if((new_buf = realloc(buf, buf_len)) == NULL)
246	{
247	free(name);
248	free(buf);
249	free(iter);
250	return NULL;
251	}
252	buf = new_buf;
253	buf_left = grow_amt + name_len + 1;
254	}
255	strncpy(buf+(buf_len-buf_left-1), name, name_len);
256	buf_left -= name_len;
257	buf[buf_len-buf_left-1] = '\0';
258	free(name);
259	} while(cur != NULL);
260
261	return buf;
262	}
263
264
265	void printValueList(REGFI_ITERATOR* iter, char* prefix)
266	{
267	REGFI_VK_REC* value;
268
269	value = regfi_iterator_first_value(iter);
270	while(value != NULL)
271	{
272	if(!type_filter_enabled \|\| (value->type == type_filter))
273	printValue(iter, value, prefix);
274	regfi_free_value(value);
275	value = regfi_iterator_next_value(iter);
276	printMsgs(iter->f);
277	}
278	}
279
280
281	void printKey(REGFI_ITERATOR* iter, char* full_path)
282	{
283	static char empty_str[1] = "";
284	char* owner = NULL;
285	char* group = NULL;
286	char* sacl = NULL;
287	char* dacl = NULL;
288	char* quoted_classname;
289	char mtime[20];
290	time_t tmp_time[1];
291	struct tm* tmp_time_s = NULL;
292	const REGFI_SK_REC* sk;
293	const REGFI_NK_REC* k = regfi_iterator_cur_key(iter);
294	REGFI_CLASSNAME* classname;
295
296	*tmp_time = nt_time_to_unix(&k->mtime);
297	tmp_time_s = gmtime(tmp_time);
298	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
299
300	if(print_security && (sk=regfi_iterator_cur_sk(iter)))
301	{
302	owner = regfi_get_owner(sk->sec_desc);
303	group = regfi_get_group(sk->sec_desc);
304	sacl = regfi_get_sacl(sk->sec_desc);
305	dacl = regfi_get_dacl(sk->sec_desc);
306	if(owner == NULL)
307	owner = empty_str;
308	if(group == NULL)
309	group = empty_str;
310	if(sacl == NULL)
311	sacl = empty_str;
312	if(dacl == NULL)
313	dacl = empty_str;
314
315	classname = regfi_iterator_fetch_classname(iter, k);
316	printMsgs(iter->f);
317	if(classname != NULL)
318	{
319	if(classname->interpreted == NULL)
320	{
321	fprintf(stderr, "WARN: Could not convert class name"
322	" charset for key '%s'. Quoting raw...\n", full_path);
323	quoted_classname = quote_buffer(classname->raw, classname->size,
324	key_special_chars);
325	}
326	else
327	quoted_classname = quote_string(classname->interpreted,
328	key_special_chars);
329
330	if(quoted_classname == NULL)
331	{
332	fprintf(stderr, "ERROR: Could not quote classname"
333	" for key '%s' due to unknown error.\n", full_path);
334	quoted_classname = empty_str;
335	}
336	}
337	else
338	quoted_classname = empty_str;
339	regfi_free_classname(classname);
340
341	printMsgs(iter->f);
342	printf("%s,KEY,,%s,%s,%s,%s,%s,%s\n", full_path, mtime,
343	owner, group, sacl, dacl, quoted_classname);
344
345	if(owner != empty_str)
346	free(owner);
347	if(group != empty_str)
348	free(group);
349	if(sacl != empty_str)
350	free(sacl);
351	if(dacl != empty_str)
352	free(dacl);
353	if(quoted_classname != empty_str)
354	free(quoted_classname);
355	}
356	else
357	printf("%s,KEY,,%s\n", full_path, mtime);
358	}
359
360
361	void printKeyTree(REGFI_ITERATOR* iter)
362	{
363	const REGFI_NK_REC* root = NULL;
364	const REGFI_NK_REC* cur = NULL;
365	REGFI_NK_REC* sub = NULL;
366	char* path = NULL;
367	int key_type = regfi_type_str2val("KEY");
368	bool print_this = true;
369
370	root = cur = regfi_iterator_cur_key(iter);
371	sub = regfi_iterator_first_subkey(iter);
372	printMsgs(iter->f);
373
374	if(root == NULL)
375	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: root cannot be NULL.\n");
376
377	do
378	{
379	if(print_this)
380	{
381	path = iter2Path(iter);
382	if(path == NULL)
383	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not construct iterator's path.\n");
384
385	if(!type_filter_enabled \|\| (key_type == type_filter))
386	printKey(iter, path);
387	if(!type_filter_enabled \|\| (key_type != type_filter))
388	printValueList(iter, path);
389
390	free(path);
391	}
392
393	if(sub == NULL)
394	{
395	if(cur != root)
396	{
397	/* We're done with this sub-tree, going up and hitting other branches. */
398	if(!regfi_iterator_up(iter))
399	{
400	printMsgs(iter->f);
401	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator upward.\n");
402	}
403
404	cur = regfi_iterator_cur_key(iter);
405	if(cur == NULL)
406	{
407	printMsgs(iter->f);
408	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: unexpected NULL for key.\n");
409	}
410
411	sub = regfi_iterator_next_subkey(iter);
412	}
413	print_this = false;
414	}
415	else
416	{ /* We have unexplored sub-keys.
417	* Let's move down and print this first sub-tree out.
418	*/
419	if(!regfi_iterator_down(iter))
420	{
421	printMsgs(iter->f);
422	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator downward.\n");
423	}
424
425	cur = regfi_iterator_cur_key(iter);
426	regfi_free_key(sub);
427	sub = regfi_iterator_first_subkey(iter);
428	print_this = true;
429	}
430	printMsgs(iter->f);
431	} while(!((cur == root) && (sub == NULL)));
432
433	if(print_verbose)
434	fprintf(stderr, "INFO: Finished printing key tree.\n");
435	}
436
437
438	/* XXX: What if there is BOTH a value AND a key with that name??
439	* What if there are multiple keys/values with the same name??
440	*/
441	/*
442	* Returns 0 if path was not found.
443	* Returns 1 if path was found as value.
444	* Returns 2 if path was found as key.
445	* Returns less than 0 on other error.
446	*/
447	int retrievePath(REGFI_ITERATOR* iter, char** path)
448	{
449	REGFI_VK_REC* value;
450	char* tmp_path_joined;
451	const char** tmp_path;
452	uint32 i;
453
454	if(path == NULL)
455	return -1;
456
457	/* One extra for any value at the end, and one more for NULL */
458	tmp_path = (const char)malloc(sizeof(const char)*(REGFI_MAX_DEPTH+1+1));
459	if(tmp_path == NULL)
460	return -2;
461
462	/* Strip any potential value name at end of path */
463	for(i=0;
464	(path[i] != NULL) && (path[i+1] != NULL) && (i < REGFI_MAX_DEPTH+1);
465	i++)
466	{ tmp_path[i] = path[i]; }
467	tmp_path[i] = NULL;
468
469	if(print_verbose)
470	fprintf(stderr, "INFO: Attempting to retrieve specified path: %s\n",
471	path_filter);
472
473	/* Special check for '/' path filter */
474	if(path[0] == NULL)
475	{
476	if(print_verbose)
477	fprintf(stderr, "INFO: Found final path element as root key.\n");
478	free(tmp_path);
479	return 2;
480	}
481
482	if(!regfi_iterator_walk_path(iter, tmp_path))
483	{
484	printMsgs(iter->f);
485	free(tmp_path);
486	return 0;
487	}
488
489	if(regfi_iterator_find_value(iter, path[i]))
490	{
491	if(print_verbose)
492	fprintf(stderr, "INFO: Found final path element as value.\n");
493
494	value = regfi_iterator_cur_value(iter);
495	printMsgs(iter->f);
496	tmp_path_joined = iter2Path(iter);
497
498	if((value == NULL) \|\| (tmp_path_joined == NULL))
499	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Unexpected error before printValue.\n");
500
501	if(!type_filter_enabled \|\| (value->type == type_filter))
502	printValue(iter, value, tmp_path_joined);
503
504	regfi_free_value(value);
505	free(tmp_path);
506	free(tmp_path_joined);
507	return 1;
508	}
509	else if(regfi_iterator_find_subkey(iter, path[i]))
510	{
511	printMsgs(iter->f);
512	if(print_verbose)
513	fprintf(stderr, "INFO: Found final path element as key.\n");
514
515	if(!regfi_iterator_down(iter))
516	{
517	printMsgs(iter->f);
518	bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Unexpected error on traversing path filter key.\n");
519	}
520
521	return 2;
522	}
523	printMsgs(iter->f);
524
525	if(print_verbose)
526	fprintf(stderr, "INFO: Could not find last element of path.\n");
527
528	return 0;
529	}
530
531
532	static void usage(void)
533	{
534	fprintf(stderr, "Usage: reglookup [-v] [-s]"
535	" [-p <PATH_FILTER>] [-t <TYPE_FILTER>]"
536	" <REGISTRY_FILE>\n");
537	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
538	fprintf(stderr, "Options:\n");
539	fprintf(stderr, "\t-v\t sets verbose mode.\n");
540	fprintf(stderr, "\t-h\t enables header row. (default)\n");
541	fprintf(stderr, "\t-H\t disables header row.\n");
542	fprintf(stderr, "\t-s\t enables security descriptor output.\n");
543	fprintf(stderr, "\t-S\t disables security descriptor output. (default)\n");
544	fprintf(stderr, "\t-p\t restrict output to elements below this path.\n");
545	fprintf(stderr, "\t-t\t restrict results to this specific data type.\n");
546	fprintf(stderr, "\n");
547	}
548
549
550	int main(int argc, char** argv)
551	{
552	char** path = NULL;
553	REGFI_ITERATOR* iter;
554	int retr_path_ret;
555	uint32 argi, arge;
556
557	/* Process command line arguments */
558	if(argc < 2)
559	{
560	usage();
561	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
562	}
563
564	arge = argc-1;
565	for(argi = 1; argi < arge; argi++)
566	{
567	if (strcmp("-p", argv[argi]) == 0)
568	{
569	if(++argi >= arge)
570	{
571	usage();
572	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-p' option requires parameter.\n");
573	}
574	if((path_filter = strdup(argv[argi])) == NULL)
575	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
576
577	path_filter_enabled = true;
578	}
579	else if (strcmp("-t", argv[argi]) == 0)
580	{
581	if(++argi >= arge)
582	{
583	usage();
584	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-t' option requires parameter.\n");
585	}
586	if((type_filter = regfi_type_str2val(argv[argi])) < 0)
587	{
588	fprintf(stderr, "ERROR: Invalid type specified: %s.\n", argv[argi]);
589	bailOut(REGLOOKUP_EXIT_USAGE, "");
590	}
591	type_filter_enabled = true;
592	}
593	else if (strcmp("-h", argv[argi]) == 0)
594	print_header = true;
595	else if (strcmp("-H", argv[argi]) == 0)
596	print_header = false;
597	else if (strcmp("-s", argv[argi]) == 0)
598	print_security = true;
599	else if (strcmp("-S", argv[argi]) == 0)
600	print_security = false;
601	else if (strcmp("-v", argv[argi]) == 0)
602	print_verbose = true;
603	else
604	{
605	usage();
606	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
607	bailOut(REGLOOKUP_EXIT_USAGE, "");
608	}
609	}
610	if((registry_file = strdup(argv[argi])) == NULL)
611	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
612
613	f = regfi_open(registry_file);
614	if(f == NULL)
615	{
616	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
617	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
618	}
619
620	if(print_verbose)
621	regfi_set_message_mask(f, REGFI_MSG_INFO\|REGFI_MSG_WARN\|REGFI_MSG_ERROR);
622
623	/* XXX: add command line option to choose output encoding */
624	iter = regfi_iterator_new(f, REGFI_ENCODING_ASCII);
625	if(iter == NULL)
626	{
627	printMsgs(f);
628	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Couldn't create registry iterator.\n");
629	}
630
631	if(print_header)
632	{
633	if(print_security)
634	printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL,CLASS\n");
635	else
636	printf("PATH,TYPE,VALUE,MTIME\n");
637	}
638
639	if(path_filter_enabled && path_filter != NULL)
640	path = splitPath(path_filter);
641
642	if(path != NULL)
643	{
644	retr_path_ret = retrievePath(iter, path);
645	printMsgs(iter->f);
646	freePath(path);
647
648	if(retr_path_ret == 0)
649	fprintf(stderr, "WARN: Specified path '%s' not found.\n", path_filter);
650	else if (retr_path_ret == 2)
651	printKeyTree(iter);
652	else if(retr_path_ret < 0)
653	{
654	fprintf(stderr, "ERROR: retrievePath() returned %d.\n",
655	retr_path_ret);
656	bailOut(REGLOOKUP_EXIT_DATAERR,
657	"ERROR: Unknown error occurred in retrieving path.\n");
658	}
659	}
660	else
661	printKeyTree(iter);
662
663	regfi_iterator_free(iter);
664	regfi_close(f);
665
666	return 0;
667	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: