- Timestamp:
- 01/23/09 17:58:43 (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/regfi.c
r136 r137 701 701 if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH, 702 702 &cell_length, &unalloc)) 703 return NULL; 703 { 704 regfi_add_message(file, "ERROR: Could not parse SK record cell" 705 " at offset 0x%.8X.", offset); 706 return NULL; 707 } 704 708 705 709 if(sk_header[0] != 's' || sk_header[1] != 'k') 706 return NULL; 707 710 { 711 regfi_add_message(file, "ERROR: Magic number mismatch in parsing SK record" 712 " at offset 0x%.8X.", offset); 713 return NULL; 714 } 715 708 716 ret_val = (REGFI_SK_REC*)zalloc(sizeof(REGFI_SK_REC)); 709 717 if(ret_val == NULL) … … 721 729 || (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))) 722 730 { 731 regfi_add_message(file, "ERROR: Invalid cell size found while parsing SK" 732 " record at offset 0x%.8X.", offset); 723 733 free(ret_val); 724 734 return NULL; … … 737 747 if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size) 738 748 { 749 regfi_add_message(file, "ERROR: Security descriptor too large for cell" 750 " while parsing SK record at offset 0x%.8X.", offset); 739 751 free(ret_val); 740 752 return NULL; … … 752 764 || length != ret_val->desc_size) 753 765 { 766 regfi_add_message(file, "ERROR: Failed to read security descriptor" 767 " while parsing SK record at offset 0x%.8X.", offset); 754 768 free(ret_val); 755 769 return NULL; … … 758 772 if(!(ret_val->sec_desc = winsec_parse_desc(sec_desc_buf, ret_val->desc_size))) 759 773 { 774 regfi_add_message(file, "ERROR: Failed to parse security descriptor" 775 " while parsing SK record at offset 0x%.8X.", offset); 760 776 free(sec_desc_buf); 761 777 free(ret_val); … … 777 793 778 794 if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc)) 779 return NULL; 795 { 796 regfi_add_message(file, "ERROR: Failed to read cell header" 797 " while parsing value list at offset 0x%.8X.", offset); 798 return NULL; 799 } 780 800 781 801 if(cell_length != (cell_length & 0xFFFFFFF8)) … … 786 806 } 787 807 if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32)) 788 return NULL; 808 { 809 regfi_add_message(file, "ERROR: Too many values found" 810 " while parsing value list at offset 0x%.8X.", offset); 811 return NULL; 812 } 789 813 790 814 read_len = num_values*sizeof(uint32); … … 796 820 if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) || length != read_len) 797 821 { 822 regfi_add_message(file, "ERROR: Failed to read value pointers" 823 " while parsing value list at offset 0x%.8X.", offset); 798 824 free(ret_val); 799 825 return NULL; … … 811 837 || ((ret_val[i] & 0xFFFFFFF8) != ret_val[i])) 812 838 { 839 regfi_add_message(file, "ERROR: Invalid value pointer (0x%.8X) found" 840 " while parsing value list at offset 0x%.8X.", 841 ret_val[i], offset); 813 842 free(ret_val); 814 843 return NULL; … … 906 935 { 907 936 regfi_add_message(file, "ERROR: Could not load NK record at" 908 " offset 0x%.8X. \n", offset);937 " offset 0x%.8X.", offset); 909 938 return NULL; 910 939 } … … 937 966 { 938 967 regfi_add_message(file, "ERROR: Could not load value list" 939 " for NK record at offset 0x%.8X. \n",968 " for NK record at offset 0x%.8X.", 940 969 offset); 941 970 free(nk); … … 1034 1063 REGFI_FILE* regfi_open(const char* filename) 1035 1064 { 1065 struct stat sbuf; 1036 1066 REGFI_FILE* rb; 1037 1067 REGFI_HBIN* hbin = NULL; 1038 uint32 hbin_off ;1068 uint32 hbin_off, file_length; 1039 1069 int fd; 1040 1070 bool rla; … … 1047 1077 } 1048 1078 1079 /* Determine file length. Must be at least big enough 1080 * for the header and one hbin. 1081 */ 1082 if (fstat(fd, &sbuf) == -1) 1083 return NULL; 1084 file_length = sbuf.st_size; 1085 if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC) 1086 return NULL; 1087 1049 1088 /* read in an existing file */ 1050 1089 if ((rb = regfi_parse_regf(fd, true)) == NULL) … … 1054 1093 return NULL; 1055 1094 } 1056 1095 rb->file_length = file_length; 1096 1057 1097 rb->hbins = range_list_new(); 1058 1098 if(rb->hbins == NULL) … … 1069 1109 while(hbin && rla) 1070 1110 { 1111 rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin); 1071 1112 hbin_off = hbin->file_off + hbin->block_size; 1072 rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin); 1113 /*fprintf(stderr, "file_length=%.8X,hbin_off=%.8X,hbin->block_size=%.8X,hbin->next_block=%.8X\n", 1114 file_length, hbin_off, hbin->block_size, hbin->next_block);*/ 1073 1115 hbin = regfi_parse_hbin(rb, hbin_off, true); 1074 1116 } … … 1550 1592 uint8 file_header[REGFI_REGF_SIZE]; 1551 1593 uint32 length; 1552 uint32 file_length;1553 struct stat sbuf;1554 1594 REGFI_FILE* ret_val; 1555 1556 /* Determine file length. Must be at least big enough1557 * for the header and one hbin.1558 */1559 if (fstat(fd, &sbuf) == -1)1560 return NULL;1561 file_length = sbuf.st_size;1562 if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)1563 return NULL;1564 1595 1565 1596 ret_val = (REGFI_FILE*)zalloc(sizeof(REGFI_FILE)); … … 1568 1599 1569 1600 ret_val->fd = fd; 1570 ret_val->file_length = file_length;1571 1601 1572 1602 length = REGFI_REGF_SIZE; … … 1630 1660 1631 1661 if(lseek(file->fd, offset, SEEK_SET) == -1) 1632 return NULL; 1662 { 1663 regfi_add_message(file, "ERROR: Seek failed" 1664 " while parsing hbin at offset 0x%.8X.", offset); 1665 return NULL; 1666 } 1633 1667 1634 1668 length = REGFI_HBIN_HEADER_SIZE; … … 1637 1671 return NULL; 1638 1672 1639 1640 1673 if(lseek(file->fd, offset, SEEK_SET) == -1) 1641 return NULL; 1674 { 1675 regfi_add_message(file, "ERROR: Seek failed" 1676 " while parsing hbin at offset 0x%.8X.", offset); 1677 return NULL; 1678 } 1642 1679 1643 1680 if(!(hbin = (REGFI_HBIN*)zalloc(sizeof(REGFI_HBIN)))) … … 1648 1685 if(strict && (memcmp(hbin->magic, "hbin", 4) != 0)) 1649 1686 { 1687 /* XXX: add this back in when we have configurable verbosity. */ 1688 /* regfi_add_message(file, "INFO: Magic number mismatch (%.2X %.2X %.2X %.2X)" 1689 " while parsing hbin at offset 0x%.8X.", hbin->magic[0], 1690 hbin->magic[1], hbin->magic[2], hbin->magic[3], offset); */ 1650 1691 free(hbin); 1651 1692 return NULL; … … 1654 1695 hbin->first_hbin_off = IVAL(hbin_header, 0x4); 1655 1696 hbin->block_size = IVAL(hbin_header, 0x8); 1697 /*fprintf(stderr, "hbin->block_size field => %.8X\n", IVAL(hbin_header, 0x8));*/ 1698 /* hbin->block_size = IVAL(hbin_header, 0x8);*/ 1656 1699 /* this should be the same thing as hbin->block_size but just in case */ 1657 1700 hbin->next_block = IVAL(hbin_header, 0x1C); … … 1667 1710 || (hbin->block_size & 0xFFFFF000) != hbin->block_size) 1668 1711 { 1712 regfi_add_message(file, "ERROR: The hbin offset is not aligned" 1713 " or runs off the end of the file" 1714 " while parsing hbin at offset 0x%.8X.", offset); 1669 1715 free(hbin); 1670 1716 return NULL; … … 1689 1735 if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH, 1690 1736 &cell_length, &unalloc)) 1691 return NULL; 1692 1737 { 1738 regfi_add_message(file, "ERROR: Could not parse cell header" 1739 " while parsing NK record at offset 0x%.8X.", offset); 1740 return NULL; 1741 } 1742 1693 1743 /* A bit of validation before bothering to allocate memory */ 1694 1744 if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k')) 1695 1745 { 1696 1746 regfi_add_message(file, "ERROR: Magic number mismatch in parsing NK record" 1697 " at offset 0x%.8X. \n", offset);1747 " at offset 0x%.8X.", offset); 1698 1748 return NULL; 1699 1749 } … … 1703 1753 { 1704 1754 regfi_add_message(file, "ERROR: Failed to allocate memory while" 1705 " parsing NK record at offset 0x%.8X. \n", offset);1755 " parsing NK record at offset 0x%.8X.", offset); 1706 1756 return NULL; 1707 1757 } … … 1716 1766 { 1717 1767 regfi_add_message(file, "ERROR: A length check failed while parsing" 1718 " NK record at offset 0x%.8X. \n", offset);1768 " NK record at offset 0x%.8X.", offset); 1719 1769 free(ret_val); 1720 1770 return NULL; … … 1728 1778 && (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY2) 1729 1779 && (ret_val->key_type != REGFI_NK_TYPE_LINKKEY) 1730 && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN1)) 1731 { 1732 regfi_add_message(file, "ERROR: Unknown key type (0x%.4X) while parsing" 1733 " NK record at offset 0x%.8X.\n", ret_val->key_type, 1780 && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN1) 1781 && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN2) 1782 && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN3)) 1783 { 1784 regfi_add_message(file, "WARN: Unknown key type (0x%.4X) while parsing" 1785 " NK record at offset 0x%.8X.", ret_val->key_type, 1734 1786 offset); 1735 free(ret_val);1736 return NULL;1737 1787 } 1738 1788 … … 1775 1825 if(strict) 1776 1826 { 1827 regfi_add_message(file, "ERROR: Contents too large for cell" 1828 " while parsing NK record at offset 0x%.8X.", offset); 1777 1829 free(ret_val); 1778 1830 return NULL; … … 1805 1857 || length != ret_val->name_length) 1806 1858 { 1859 regfi_add_message(file, "ERROR: Failed to read key name" 1860 " while parsing NK record at offset 0x%.8X.", offset); 1807 1861 free(ret_val->keyname); 1808 1862 free(ret_val); … … 1823 1877 } 1824 1878 else 1879 { 1825 1880 ret_val->classname = NULL; 1826 /* 1881 regfi_add_message(file, "WARN: Could not find hbin for class name" 1882 " while parsing NK record at offset 0x%.8X.", offset); 1883 } 1884 /* XXX: Should add this back and make it more strict? 1827 1885 if(strict && ret_val->classname == NULL) 1828 1886 return NULL; 1829 1887 */ 1830 1888 } 1831 1889 /* 1890 if(ret_val->key_type == 0x0000 || ret_val->key_type == 0x4020) 1891 { 1892 fprintf(stderr, "INFO: keyname=%s,classname=%s,unalloc=%d,num_subkeys=%d,num_values=%d\n", 1893 ret_val->keyname,ret_val->classname,unalloc,ret_val->num_subkeys,ret_val->num_values); 1894 } 1895 */ 1832 1896 return ret_val; 1833 1897 } … … 1846 1910 { 1847 1911 if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc)) 1912 { 1913 regfi_add_message(file, "ERROR: Could not parse cell header" 1914 " while parsing class name at offset 0x%.8X.", offset); 1848 1915 return NULL; 1916 } 1849 1917 1850 1918 if((cell_length & 0xFFFFFFF8) != cell_length) 1919 { 1920 regfi_add_message(file, "ERROR: Cell length not a multiple of 8" 1921 " while parsing class name at offset 0x%.8X.", offset); 1851 1922 return NULL; 1852 1923 } 1924 1853 1925 if(cell_length > max_size) 1854 1926 { 1927 regfi_add_message(file, "WARN: Cell stretches past hbin boundary" 1928 " while parsing class name at offset 0x%.8X.", offset); 1855 1929 if(strict) 1856 1930 return NULL; … … 1860 1934 if((cell_length - 4) < *name_length) 1861 1935 { 1936 regfi_add_message(file, "WARN: Class name is larger than cell_length" 1937 " while parsing class name at offset 0x%.8X.", offset); 1862 1938 if(strict) 1863 1939 return NULL; … … 1872 1948 || length != *name_length) 1873 1949 { 1950 regfi_add_message(file, "ERROR: Could not read class name" 1951 " while parsing class name at offset 0x%.8X.", offset); 1874 1952 free(ret_val); 1875 1953 return NULL; 1876 1954 } 1877 1878 /*printf("==> cell_length=%d, classname_length=%d, max_bytes_subkeyclassname=%d\n", cell_length, ret_val->classname_length, ret_val->max_bytes_subkeyclassname);*/1879 1955 } 1880 1956 } … … 1898 1974 if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH, 1899 1975 &cell_length, &unalloc)) 1900 return NULL; 1976 { 1977 regfi_add_message(file, "ERROR: Could not parse cell header" 1978 " while parsing VK record at offset 0x%.8X.", offset); 1979 return NULL; 1980 } 1901 1981 1902 1982 ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC)); … … 1912 1992 || ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)) 1913 1993 { 1994 regfi_add_message(file, "ERROR: Invalid cell size encountered" 1995 " while parsing VK record at offset 0x%.8X.", offset); 1914 1996 free(ret_val); 1915 1997 return NULL; … … 1924 2006 * 0xFFFF. 1925 2007 */ 2008 regfi_add_message(file, "ERROR: Magic number mismatch" 2009 " while parsing VK record at offset 0x%.8X.", offset); 1926 2010 free(ret_val); 1927 2011 return NULL; … … 1941 2025 if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size) 1942 2026 { 2027 regfi_add_message(file, "WARN: Name too long for remaining cell space" 2028 " while parsing VK record at offset 0x%.8X.", offset); 1943 2029 if(strict) 1944 2030 { … … 1966 2052 || length != ret_val->name_length) 1967 2053 { 2054 regfi_add_message(file, "ERROR: Could not read value name" 2055 " while parsing VK record at offset 0x%.8X.", offset); 1968 2056 free(ret_val->valuename); 1969 2057 free(ret_val); … … 2004 2092 } 2005 2093 else 2094 { 2095 regfi_add_message(file, "WARN: Could not find hbin for data" 2096 " while parsing VK record at offset 0x%.8X.", offset); 2006 2097 ret_val->data = NULL; 2007 }2008 2009 if(strict && (ret_val->data == NULL)) 2010 {2011 free(ret_val->valuename);2012 free(ret_val);2013 return NULL;2098 } 2099 } 2100 2101 if(ret_val->data == NULL) 2102 { 2103 regfi_add_message(file, "WARN: Could not parse data record" 2104 " while parsing VK record at offset 0x%.8X.", offset); 2014 2105 } 2015 2106 } … … 2027 2118 bool unalloc; 2028 2119 2029 /* The data is stored in the offset if the size <= 4 */2120 /* The data is typically stored in the offset if the size <= 4 */ 2030 2121 if (length & REGFI_VK_DATA_IN_OFFSET) 2031 2122 { 2032 2123 length = length & ~REGFI_VK_DATA_IN_OFFSET; 2033 2124 if(length > 4) 2125 { 2126 regfi_add_message(file, "ERROR: Data in offset but length > 4" 2127 " while parsing data record at offset 0x%.8X.", 2128 offset); 2034 2129 return NULL; 2130 } 2035 2131 2036 2132 if((ret_val = (uint8*)zalloc(sizeof(uint8)*length)) == NULL) … … 2044 2140 if(!regfi_parse_cell(file->fd, offset, NULL, 0, 2045 2141 &cell_length, &unalloc)) 2142 { 2143 regfi_add_message(file, "ERROR: Could not parse cell while" 2144 " parsing data record at offset 0x%.8X.", offset); 2046 2145 return NULL; 2146 } 2047 2147 2048 2148 if((cell_length & 0xFFFFFFF8) != cell_length) 2149 { 2150 regfi_add_message(file, "ERROR: Cell length not multiple of 8" 2151 " while parsing data record at offset 0x%.8X.", 2152 offset); 2049 2153 return NULL; 2154 } 2050 2155 2051 2156 if(cell_length > max_size) 2052 2157 { 2158 regfi_add_message(file, "WARN: Cell extends past hbin boundary" 2159 " while parsing data record at offset 0x%.8X.", 2160 offset); 2053 2161 if(strict) 2054 2162 return NULL; … … 2063 2171 * such as 53392. 2064 2172 */ 2173 regfi_add_message(file, "WARN: Data length (0x%.8X) larger than" 2174 " remaining cell length (0x%.8X)" 2175 " while parsing data record at offset 0x%.8X.", 2176 length, cell_length - 4, offset); 2065 2177 if(strict) 2066 2178 return NULL; … … 2076 2188 || read_length != length) 2077 2189 { 2190 regfi_add_message(file, "ERROR: Could not read data block while" 2191 " parsing data record at offset 0x%.8X.", offset); 2078 2192 free(ret_val); 2079 2193 return NULL;
Note: See TracChangeset
for help on using the changeset viewer.