Changeset 121

Timestamp:

08/09/08 13:22:26 (16 years ago)

Author:

tim

Message:

fixed minor path/type filter bug in reglookup
misc code cleanups

Location:

trunk

Files:

• include/regfi.h (modified) (1 diff)
• src/common.c (modified) (2 diffs, 1 prop)
• src/reglookup-recover.c (modified) (5 diffs)
• src/reglookup.c (modified) (1 diff)

trunk/include/regfi.h

@@ -109 +109 @@
 #define NK_TYPE_ROOTKEY            0x002c
  /* TODO: Unknown type that shows up in Vista registries */
-#define NK_TYPE_UNKNOWN1           0x1020 
+#define NK_TYPE_UNKNOWN1           0x1020
 
 

trunk/src/common.c

@@ -1 +1 @@
 /*
- * A utility to read a Windows NT/2K/XP/2K3 registry file, using 
- * Gerald Carter''s regfio interface.
+ * This file stores code common to the command line tools.
+ * XXX: This should be converted to a proper library.
  *
  * Copyright (C) 2005-2008 Timothy D. Morgan
@@ -19 +19 @@
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  
  *
- * $Id: $
+ * $Id$
  */
 

trunk/src/reglookup-recover.c

@@ -1 +1 @@
 /*
+ * This program attempts to recover deleted data structures in a registry hive.
+ *
  * Copyright (C) 2008 Timothy D. Morgan
  *
@@ -35 +37 @@
 char* registry_file = NULL;
 
-
 #include "common.c"
-
-/* Output format:
- *   real_offset,min_length,record_type,parent_path,name,data_type,mtime,num_values,value,data_length,raw_data
- */
-
-void regfi_print_nk(REGF_NK_REC* nk)
-{
-  printf("Found key at offset 0x%.8X:\n", nk->offset);
-  printf("  keyname: \"%s\"\n", nk->keyname);
-  printf("  parent_off (virtual): 0x%.8X\n", nk->parent_off);
-  printf("  cell_size: %d\n", nk->cell_size);
-  printf("  key_type: 0x%.4X\n", nk->key_type);
-  printf("  magic: %c%c\n", nk->magic[0], nk->magic[1]);
-  printf("  mtime: 0x%.8X 0x%.8X\n", nk->mtime.low, nk->mtime.high);
-  printf("  name_length: %d\n", nk->name_length);
-  printf("  classname_length: %d\n", nk->classname_length);
-  printf("  classname_off (virtual): 0x%.8X\n", nk->classname_off);
-  printf("  max_bytes_subkeyname: %d\n", nk->max_bytes_subkeyname);
-  printf("  max_bytes_subkeyclassname: %d\n", nk->max_bytes_subkeyclassname);
-  printf("  max_bytes_valuename: %d\n", nk->max_bytes_valuename);
-  printf("  max_bytes_value: %d\n", nk->max_bytes_value);
-  printf("  unknown1: 0x%.8X\n", nk->unknown1);
-  printf("  unknown2: 0x%.8X\n", nk->unknown2);
-  printf("  unknown3: 0x%.8X\n", nk->unknown3);
-  printf("  unk_index: 0x%.8X\n", nk->unk_index);
-  printf("  num_subkeys: %d\n", nk->num_subkeys);
-  printf("  subkeys_off (virtual): 0x%.8X\n", nk->subkeys_off);
-  printf("  num_values: %d\n", nk->num_values);
-  printf("  values_off (virtual): 0x%.8X\n", nk->values_off);
-  printf("  sk_off (virtual): 0x%.8X\n", nk->sk_off);
-  printf("\n");
-}
 
 
@@ -783 +752 @@
   }
 
-  /*XXX
-  for(i=0,k=0; i < range_list_size(unalloc_cells); i++)
-  {
-    cur_elem = range_list_get(unalloc_cells, i);
-    k+=cur_elem->length;
-  }
-  printf("UNALLOC=%d\n", k);
-  printf("UNALLOC_CELL_COUNT=%d\n", range_list_size(unalloc_cells));
-  XXX*/
-
   unalloc_keys = range_list_new();
   if(unalloc_keys == NULL)
@@ -893 +852 @@
   }
   
-  /*XXX
-  for(i=0,j=0; i < range_list_size(unalloc_cells); i++)
-  {
-    cur_elem = range_list_get(unalloc_cells, i);
-    j+=cur_elem->length;
-  }
-  printf("PARSED_UNALLOC=%d\n", k-j);
-  XXX*/
-
   if(print_leftover)
   {
@@ -911 +861 @@
   }
 
-  /*
-  printf("Analyzing test_offset...\n");
-  if((tmp_key = regfi_parse_nk(f, test_offset, 4096, false)) != NULL)
-    regfi_print_nk(tmp_key);
-  else
-    dump_cell(f->fd, test_offset);
-  */
-
   return 0;
 }

trunk/src/reglookup.c

@@ -462 +462 @@
       bailOut(EX_OSERR, "ERROR: Unexpected error before printValue.\n");
 
-    printValue(value, tmp_path_joined);
+    if(!type_filter_enabled || (value->type == type_filter))
+      printValue(value, tmp_path_joined);
 
     free(tmp_path);