Changeset 125


Ignore:
Timestamp:
08/15/08 21:21:54 (16 years ago)
Author:
tim
Message:

added early version of class name parsing. additional work still needed.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/doc/reglookup.1.docbook

    r119 r125  
    2727        print them out to stdout in a CSV-like format.  It has filtering
    2828        options to narrow the focus of the output.  This tool is
    29         designed to work with on Windows NT/2K/XP/2K3/Vista registries,
    30         though your mileage may vary.
     29        designed to work with on Windows NT-based registries.
    3130    </para>
    3231  </refsect1>
     
    108107        <listitem>
    109108          <para>
    110             Adds four additional columns to output containing
    111             information from key security descriptors.  The columns
    112             are: owner, group, sacl, dacl.
     109            Adds five additional columns to output containing
     110            information from key security descriptors and rarely used
     111            fields.  The columns are: owner, group, sacl, dacl, class.
    113112            (This feature's output has not been extensively tested.)
    114113          </para>
  • trunk/include/regfi.h

    r121 r125  
    8989
    9090/* Constants used for validation */
     91/* XXX: Can we add clock resolution validation as well as range?  It has
     92 *      been reported that Windows timestamps are never more than a
     93 *      certain granularity (250ms?), which could be used to help
     94 *      eliminate false positives.  Would need to validate this and
     95 *      perhaps conservatively implement a check.
     96 */
    9197 /* Minimum time is Jan 1, 1990 00:00:00 */
    9298#define REGFI_MTIME_MIN_HIGH       0x01B41E6D
     
    108114#define NK_TYPE_NORMALKEY          0x0020
    109115#define NK_TYPE_ROOTKEY            0x002c
    110  /* TODO: Unknown type that shows up in Vista registries */
     116 /* XXX: Unknown type that shows up in Vista registries */
    111117#define NK_TYPE_UNKNOWN1           0x1020
    112118
     
    216222 
    217223  /* header information */
    218   /* XXX: should we be looking for types other than the root key type? */
    219224  uint16 key_type;
    220225  uint8  magic[REC_HDR_SIZE];
     
    224229  char* classname;
    225230  char* keyname;
    226   uint32 parent_off;    /* back pointer in registry hive */
    227   uint32 classname_off; 
     231  uint32 parent_off;                /* pointer to parent key */
     232  uint32 classname_off;
    228233 
    229234  /* max lengths */
  • trunk/lib/regfi.c

    r124 r125  
    15831583  ret_val->values_off = IVAL(nk_header, 0x28);
    15841584  ret_val->sk_off = IVAL(nk_header, 0x2C);
    1585   /* XXX: currently we do nothing with class names.  Need to investigate. */
    15861585  ret_val->classname_off = IVAL(nk_header, 0x30);
    15871586
     
    15941593  ret_val->name_length = SVAL(nk_header, 0x48);
    15951594  ret_val->classname_length = SVAL(nk_header, 0x4A);
     1595
    15961596
    15971597  if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
     
    16341634  }
    16351635  ret_val->keyname[ret_val->name_length] = '\0';
     1636
     1637
     1638  /***/
     1639 
     1640  if(ret_val->classname_length > 0
     1641     && ret_val->classname_off != REGF_OFFSET_NONE
     1642     && ret_val->classname_off == (ret_val->classname_off & 0xFFFFFFF8))
     1643  {
     1644    ret_val->classname = (char*)zalloc(ret_val->classname_length+1);
     1645    if(ret_val->classname != NULL)
     1646    {
     1647      if(!regfi_parse_cell(file->fd, ret_val->classname_off+REGF_BLOCKSIZE,
     1648                           (uint8*)ret_val->classname, ret_val->classname_length,
     1649                           &cell_length, &unalloc)
     1650         || (cell_length < ret_val->classname_length)
     1651         || (strict && unalloc))
     1652      {
     1653        /* Being careful not to reject the whole key here even when
     1654         * strict and things are obviously wrong, since it appears
     1655         * they're commonly obviously wrong.
     1656         */
     1657        free(ret_val->classname);
     1658        ret_val->classname = NULL;
     1659        return ret_val;
     1660      }
     1661
     1662      ret_val->classname[ret_val->classname_length] = '\0';
     1663      /*printf("==> cell_length=%d, classname_length=%d, max_bytes_subkeyclassname=%d\n", cell_length, ret_val->classname_length, ret_val->max_bytes_subkeyclassname);*/
     1664    }
     1665  }
     1666  /***/
     1667
    16361668
    16371669  return ret_val;
  • trunk/src/reglookup.c

    r121 r125  
    4747
    4848/* XXX: A hack to share some functions with reglookup-recover.c.
    49  *      Should move these into a properly library at some point.
     49 *      Should move these into a proper library at some point.
    5050 */
    5151#include "common.c"
     
    295295  char* sacl = NULL;
    296296  char* dacl = NULL;
     297  char* quoted_classname;
    297298  char mtime[20];
    298299  time_t tmp_time[1];
     
    320321      dacl = empty_str;
    321322
    322     printf("%s,KEY,,%s,%s,%s,%s,%s\n", full_path, mtime,
    323            owner, group, sacl, dacl);
     323    if(k->classname != NULL)
     324      quoted_classname = quote_string(k->classname, key_special_chars);
     325    else
     326      quoted_classname = empty_str;
     327
     328    printf("%s,KEY,,%s,%s,%s,%s,%s,%s\n", full_path, mtime,
     329           owner, group, sacl, dacl, quoted_classname);
    324330
    325331    if(owner != empty_str)
     
    331337    if(dacl != empty_str)
    332338      free(dacl);
     339    if(quoted_classname != empty_str)
     340      free(quoted_classname);
    333341  }
    334342  else
     
    582590  {
    583591    if(print_security)
    584       printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL\n");
     592      printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL,CLASS\n");
    585593    else
    586594      printf("PATH,TYPE,VALUE,MTIME\n");
Note: See TracChangeset for help on using the changeset viewer.