Changeset 125 for trunk

Timestamp:

08/15/08 21:21:54 (16 years ago)

Author:

tim

Message:

added early version of class name parsing. additional work still needed.

Location:

trunk

Files:

• doc/reglookup.1.docbook (modified) (2 diffs)
• include/regfi.h (modified) (4 diffs)
• lib/regfi.c (modified) (3 diffs)
• src/reglookup.c (modified) (5 diffs)

trunk/doc/reglookup.1.docbook

@@ -27 +27 @@
         print them out to stdout in a CSV-like format.  It has filtering
         options to narrow the focus of the output.  This tool is
-        designed to work with on Windows NT/2K/XP/2K3/Vista registries, 
-        though your mileage may vary.
+        designed to work with on Windows NT-based registries.
     </para>
   </refsect1>
@@ -108 +107 @@
         <listitem>
           <para>
-            Adds four additional columns to output containing 
-            information from key security descriptors.  The columns 
-            are: owner, group, sacl, dacl.
+            Adds five additional columns to output containing 
+            information from key security descriptors and rarely used
+            fields.  The columns are: owner, group, sacl, dacl, class.
             (This feature's output has not been extensively tested.)
           </para>

trunk/include/regfi.h

@@ -89 +89 @@
 
 /* Constants used for validation */
+/* XXX: Can we add clock resolution validation as well as range?  It has
+ *      been reported that Windows timestamps are never more than a
+ *      certain granularity (250ms?), which could be used to help
+ *      eliminate false positives.  Would need to validate this and
+ *      perhaps conservatively implement a check.
+ */
  /* Minimum time is Jan 1, 1990 00:00:00 */
 #define REGFI_MTIME_MIN_HIGH       0x01B41E6D
@@ -108 +114 @@
 #define NK_TYPE_NORMALKEY          0x0020
 #define NK_TYPE_ROOTKEY            0x002c
- /* TODO: Unknown type that shows up in Vista registries */
+ /* XXX: Unknown type that shows up in Vista registries */
 #define NK_TYPE_UNKNOWN1           0x1020
 
@@ -216 +222 @@
   
   /* header information */
-  /* XXX: should we be looking for types other than the root key type? */
   uint16 key_type;
   uint8  magic[REC_HDR_SIZE];
@@ -224 +229 @@
   char* classname;
   char* keyname;
-  uint32 parent_off;    /* back pointer in registry hive */
-  uint32 classname_off; 
+  uint32 parent_off;                /* pointer to parent key */
+  uint32 classname_off;
   
   /* max lengths */

trunk/lib/regfi.c

@@ -1583 +1583 @@
   ret_val->values_off = IVAL(nk_header, 0x28);
   ret_val->sk_off = IVAL(nk_header, 0x2C);
-  /* XXX: currently we do nothing with class names.  Need to investigate. */
   ret_val->classname_off = IVAL(nk_header, 0x30);
 
@@ -1594 +1593 @@
   ret_val->name_length = SVAL(nk_header, 0x48);
   ret_val->classname_length = SVAL(nk_header, 0x4A);
+
 
   if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
@@ -1634 +1634 @@
   }
   ret_val->keyname[ret_val->name_length] = '\0';
+
+
+  /***/
+  
+  if(ret_val->classname_length > 0 
+     && ret_val->classname_off != REGF_OFFSET_NONE 
+     && ret_val->classname_off == (ret_val->classname_off & 0xFFFFFFF8))
+  {
+    ret_val->classname = (char*)zalloc(ret_val->classname_length+1);
+    if(ret_val->classname != NULL)
+    {
+      if(!regfi_parse_cell(file->fd, ret_val->classname_off+REGF_BLOCKSIZE, 
+                           (uint8*)ret_val->classname, ret_val->classname_length,
+                           &cell_length, &unalloc) 
+         || (cell_length < ret_val->classname_length)
+         || (strict && unalloc))
+      {
+        /* Being careful not to reject the whole key here even when
+         * strict and things are obviously wrong, since it appears
+         * they're commonly obviously wrong. 
+         */
+        free(ret_val->classname);
+        ret_val->classname = NULL;
+        return ret_val;
+      }
+
+      ret_val->classname[ret_val->classname_length] = '\0';
+      /*printf("==> cell_length=%d, classname_length=%d, max_bytes_subkeyclassname=%d\n", cell_length, ret_val->classname_length, ret_val->max_bytes_subkeyclassname);*/
+    }
+  }
+  /***/
+
 
   return ret_val;

trunk/src/reglookup.c

@@ -47 +47 @@
 
 /* XXX: A hack to share some functions with reglookup-recover.c.
- *      Should move these into a properly library at some point.
+ *      Should move these into a proper library at some point.
  */
 #include "common.c"
@@ -295 +295 @@
   char* sacl = NULL;
   char* dacl = NULL;
+  char* quoted_classname;
   char mtime[20];
   time_t tmp_time[1];
@@ -320 +321 @@
       dacl = empty_str;
 
-    printf("%s,KEY,,%s,%s,%s,%s,%s\n", full_path, mtime, 
-           owner, group, sacl, dacl);
+    if(k->classname != NULL)
+      quoted_classname = quote_string(k->classname, key_special_chars);
+    else
+      quoted_classname = empty_str;
+
+    printf("%s,KEY,,%s,%s,%s,%s,%s,%s\n", full_path, mtime, 
+           owner, group, sacl, dacl, quoted_classname);
 
     if(owner != empty_str)
@@ -331 +337 @@
     if(dacl != empty_str)
       free(dacl);
+    if(quoted_classname != empty_str)
+      free(quoted_classname);
   }
   else
@@ -582 +590 @@
   {
     if(print_security)
-      printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL\n");
+      printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL,CLASS\n");
     else
       printf("PATH,TYPE,VALUE,MTIME\n");