Changeset 158 for trunk/lib


Ignore:
Timestamp:
11/23/09 23:06:51 (15 years ago)
Author:
tim
Message:

simplified root key search

moved classname parsing up to regfi_load_key

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/lib/regfi.c

    r157 r158  
    11041104  }
    11051105
     1106  /* Get classname if it exists */
     1107  if(nk->classname_off != REGFI_OFFSET_NONE)
     1108  {
     1109    off = nk->classname_off + REGFI_REGF_SIZE;
     1110    max_size = regfi_calc_maxsize(file, off);
     1111    if(max_size >= 0)
     1112    {
     1113      nk->classname
     1114        = regfi_parse_classname(file, off, &nk->classname_length,
     1115                                max_size, strict);
     1116    }
     1117    else
     1118    {
     1119      nk->classname = NULL;
     1120      regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class"
     1121                        " name while parsing NK record at offset 0x%.8X.",
     1122                        offset);
     1123    }
     1124
     1125    if(nk->classname == NULL)
     1126    {
     1127      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse class"
     1128                        " name while parsing NK record at offset 0x%.8X.",
     1129                        offset);
     1130    }
     1131    else
     1132      talloc_steal(nk, nk->classname);
     1133  }
     1134
    11061135  return nk;
    11071136}
     
    11501179/******************************************************************************
    11511180 ******************************************************************************/
    1152 static bool regfi_find_root_nk(REGFI_FILE* file, uint32 offset,uint32 hbin_size,
    1153                                uint32* root_offset)
    1154 {
    1155   uint8 tmp[4];
    1156   int32 record_size;
    1157   uint32 length, hbin_offset = 0;
     1181REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin)
     1182{
    11581183  REGFI_NK_REC* nk = NULL;
    1159   bool found = false;
    1160 
    1161   for(record_size=0; !found && (hbin_offset < hbin_size); )
    1162   {
    1163     if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
    1164       return false;
     1184  uint32 cell_length;
     1185  uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
     1186  uint32 hbin_end = hbin->file_off+hbin->block_size;
     1187  bool unalloc;
     1188
     1189  while(cur_offset < hbin_end)
     1190  {
     1191    fprintf(stderr, "DEBUG: trying cell offset 0x%.8X\n", cur_offset);
     1192    if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
     1193    {
     1194      regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
     1195                        " 0x%.8X while searching for root key.", cur_offset);
     1196      return NULL;
     1197    }
    11651198   
    1166     length = 4;
    1167     if((regfi_read(file->fd, tmp, &length) != 0) || length != 4)
    1168       return false;
    1169     record_size = IVALS(tmp, 0);
    1170 
    1171     if(record_size < 0)
    1172     {
    1173       record_size = record_size*(-1);
    1174       nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
     1199    if(!unalloc)
     1200    {
     1201      nk = regfi_load_key(file, cur_offset, true);
    11751202      if(nk != NULL)
    11761203      {
    11771204        if(nk->key_type & REGFI_NK_FLAG_ROOT)
    1178         {
    1179           found = true;
    1180           *root_offset = nk->offset;
    1181         }
    1182         regfi_free_key(nk);
     1205          return nk;
    11831206      }
    11841207    }
    11851208
    1186     hbin_offset += record_size;
    1187   }
    1188 
    1189   return found;
     1209    cur_offset += cell_length;
     1210  }
     1211
     1212  return NULL;
    11901213}
    11911214
     
    12921315
    12931316/******************************************************************************
    1294  * There should be only *one* root key in the registry file based
    1295  * on my experience.  --jerry
     1317 * First checks the offset given by the file header, then checks the
     1318 * rest of the file if that fails.
    12961319 ******************************************************************************/
    12971320REGFI_NK_REC* regfi_rootkey(REGFI_FILE *file)
     
    13041327    return NULL;
    13051328
    1306   /* Scan through the file one HBIN block at a time looking
    1307    * for an NK record with a root key type.
    1308    * This is typically the first NK record in the first HBIN
    1309    * block (but we're not assuming that generally).
     1329  root_offset = file->root_cell+REGFI_REGF_SIZE;
     1330  nk = regfi_load_key(file, root_offset, true);
     1331  if(nk != NULL)
     1332  {
     1333    if(nk->key_type & REGFI_NK_FLAG_ROOT)
     1334      return nk;
     1335  }
     1336
     1337  regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
     1338                    " location 0x%.8X, but no root key found."
     1339                    " Searching rest of file...", root_offset);
     1340 
     1341  /* If the file header gives bad info, scan through the file one HBIN
     1342   * block at a time looking for an NK record with a root key type.
    13101343   */
    13111344  num_hbins = range_list_size(file->hbins);
    1312   for(i=0; i < num_hbins; i++)
     1345  for(i=0; i < num_hbins && nk == NULL; i++)
    13131346  {
    13141347    hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
    1315     if(regfi_find_root_nk(file, hbin->file_off+REGFI_HBIN_HEADER_SIZE,
    1316                           hbin->block_size-REGFI_HBIN_HEADER_SIZE, &root_offset))
    1317     {
    1318       nk = regfi_load_key(file, root_offset, true);
    1319       break;
    1320     }
     1348    nk = regfi_find_root_nk(file, hbin);
    13211349  }
    13221350
     
    18361864 *******************************************************************/
    18371865REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
    1838                             uint32 max_size, bool strict)
     1866                             uint32 max_size, bool strict)
    18391867{
    18401868  uint8 nk_header[REGFI_NK_MIN_LENGTH];
    18411869  REGFI_NK_REC* ret_val;
    18421870  uint32 length,cell_length;
    1843   uint32 class_offset;
    1844   int32 class_maxsize;
    18451871  bool unalloc = false;
    18461872
     
    19711997  }
    19721998  ret_val->keyname[ret_val->name_length] = '\0';
    1973 
    1974   /* XXX: This linking should be moved up to regfi_load_key */
    1975   if(ret_val->classname_off != REGFI_OFFSET_NONE)
    1976   {
    1977     class_offset = ret_val->classname_off + REGFI_REGF_SIZE;
    1978     class_maxsize = regfi_calc_maxsize(file, class_offset);
    1979     if(class_maxsize > 0)
    1980     {
    1981       ret_val->classname
    1982         = regfi_parse_classname(file, class_offset, &ret_val->classname_length,
    1983                                 class_maxsize, strict);
    1984     }
    1985     else
    1986     {
    1987       ret_val->classname = NULL;
    1988       regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class"
    1989                         " name while parsing NK record at offset 0x%.8X.",
    1990                         offset);
    1991     }
    1992 
    1993     if(ret_val->classname == NULL)
    1994     {
    1995       regfi_add_message(file, REGFI_MSG_WARN, "Could not parse class"
    1996                         " name while parsing NK record at offset 0x%.8X.",
    1997                         offset);
    1998     }
    1999     else
    2000       talloc_steal(ret_val, ret_val->classname);
    2001   }
    20021999
    20032000  return ret_val;
Note: See TracChangeset for help on using the changeset viewer.