Changeset 4
- Timestamp:
- 02/19/05 22:19:23 (20 years ago)
- Files:
-
- 2 added
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
src/reglookup.c
r2 r4 1 1 /* 2 * $Id: $ 2 * $Id$ 3 * 4 * A utility to edit a Windows NT/2K etc registry file. 3 5 * 4 6 * This code was taken from Richard Sharpe''s editreg utility, in the … … 11 13 * This program is free software; you can redistribute it and/or modify 12 14 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 * the Free Software Foundation; version 2 of the License. 15 16 * 16 17 * This program is distributed in the hope that it will be useful, … … 25 26 26 27 /************************************************************************* 27 28 A utility to edit a Windows NT/2K etc registry file. 29 30 Many of the ideas in here come from other people and software. 31 I first looked in Wine in misc/registry.c and was also influenced by 32 http://www.wednesday.demon.co.uk/dosreg.html 33 34 Which seems to contain comments from someone else. I reproduce them here 35 incase the site above disappears. It actually comes from 36 http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt. 37 38 The goal here is to read the registry into memory, manipulate it, and then 39 write it out if it was changed by any actions of the user. 40 41 The windows NT registry has 2 different blocks, where one can occur many 42 times... 43 44 the "regf"-Block 45 ================ 28 29 A note from Richard Sharpe: 30 Many of the ideas in here come from other people and software. 31 I first looked in Wine in misc/registry.c and was also influenced by 32 http://www.wednesday.demon.co.uk/dosreg.html 33 34 Which seems to contain comments from someone else. I reproduce them here 35 incase the site above disappears. It actually comes from 36 http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt. 46 37 47 "regf" is obviosly the abbreviation for "Registry file". "regf" is the 48 signature of the header-block which is always 4kb in size, although only 49 the first 64 bytes seem to be used and a checksum is calculated over 50 the first 0x200 bytes only! 51 52 Offset Size Contents 53 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572 54 0x00000004 D-Word ???? //see struct REGF 55 0x00000008 D-Word ???? Always the same value as at 0x00000004 56 0x0000000C Q-Word last modify date in WinNT date-format 57 0x00000014 D-Word 1 58 0x00000018 D-Word 3 59 0x0000001C D-Word 0 60 0x00000020 D-Word 1 61 0x00000024 D-Word Offset of 1st key record 62 0x00000028 D-Word Size of the data-blocks (Filesize-4kb) 63 0x0000002C D-Word 1 64 0x000001FC D-Word Sum of all D-Words from 0x00000000 to 65 0x000001FB //XOR of all words. Nigel 66 67 I have analyzed more registry files (from multiple machines running 68 NT 4.0 german version) and could not find an explanation for the values 69 marked with ???? the rest of the first 4kb page is not important... 70 71 the "hbin"-Block 72 ================ 73 I dont know what "hbin" stands for, but this block is always a multiple 74 of 4kb in size. 75 76 Inside these hbin-blocks the different records are placed. The memory- 77 management looks like a C-compiler heap management to me... 78 79 hbin-Header 80 =========== 81 Offset Size Contents 82 0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268 83 0x0004 D-Word Offset from the 1st hbin-Block 84 0x0008 D-Word Offset to the next hbin-Block 85 0x001C D-Word Block-size 86 87 The values in 0x0008 and 0x001C should be the same, so I dont know 88 if they are correct or swapped... 89 90 From offset 0x0020 inside a hbin-block data is stored with the following 91 format: 92 93 Offset Size Contents 94 0x0000 D-Word Data-block size //this size must be a 95 multiple of 8. Nigel 96 0x0004 ???? Data 97 98 If the size field is negative (bit 31 set), the corresponding block 99 is free and has a size of -blocksize! 100 101 That does not seem to be true. All block lengths seem to be negative! 102 (Richard Sharpe) 103 104 The data is stored as one record per block. Block size is a multiple 105 of 4 and the last block reaches the next hbin-block, leaving no room. 106 107 (That also seems incorrect, in that the block size if a multiple of 8. 108 That is, the block, including the 4 byte header, is always a multiple of 109 8 bytes. Richard Sharpe.) 110 111 Records in the hbin-blocks 112 ========================== 113 114 nk-Record 115 116 The nk-record can be treated as a kombination of tree-record and 117 key-record of the win 95 registry. 118 119 lf-Record 120 121 The lf-record is the counterpart to the RGKN-record (the 122 hash-function) 123 124 vk-Record 125 126 The vk-record consists information to a single value. 127 128 sk-Record 129 130 sk (? Security Key ?) is the ACL of the registry. 131 132 Value-Lists 133 134 The value-lists contain information about which values are inside a 135 sub-key and dont have a header. 136 137 Datas 138 139 The datas of the registry are (like the value-list) stored without a 140 header. 141 142 All offset-values are relative to the first hbin-block and point to the 143 block-size field of the record-entry. to get the file offset, you have to add 144 the header size (4kb) and the size field (4 bytes)... 145 146 the nk-Record 147 ============= 148 Offset Size Contents 149 0x0000 Word ID: ASCII-"nk" = 0x6B6E 150 0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel 151 0x0004 Q-Word write-date/time in windows nt notation 152 0x0010 D-Word Offset of Owner/Parent key 153 0x0014 D-Word number of sub-Keys 154 0x001C D-Word Offset of the sub-key lf-Records 155 0x0024 D-Word number of values 156 0x0028 D-Word Offset of the Value-List 157 0x002C D-Word Offset of the sk-Record 158 159 0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel 160 0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel 161 0x0048 Word name-length 162 0x004A Word class-name length 163 0x004C ???? key-name 164 165 the Value-List 166 ============== 167 Offset Size Contents 168 0x0000 D-Word Offset 1st Value 169 0x0004 D-Word Offset 2nd Value 170 0x???? D-Word Offset nth Value 171 172 To determine the number of values, you have to look at the owner-nk-record! 173 174 Der vk-Record 175 ============= 176 Offset Size Contents 177 0x0000 Word ID: ASCII-"vk" = 0x6B76 178 0x0002 Word name length 179 0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel 180 0x0008 D-Word Offset of Data 181 0x000C D-Word Type of value 182 0x0010 Word Flag 183 0x0012 Word Unused (data-trash) 184 0x0014 ???? Name 185 186 If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default) 187 188 If the data-size is lower 5, the data-offset value is used to store the data itself! 189 190 The data-types 191 ============== 192 Wert Beteutung 193 0x0001 RegSZ: character string (in UNICODE!) 194 0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!) 195 0x0003 RegBin: raw-binary value 196 0x0004 RegDWord: Dword 197 0x0007 RegMultiSZ: multiple strings, seperated with 0 198 (UNICODE!) 199 200 The "lf"-record 201 =============== 202 Offset Size Contents 203 0x0000 Word ID: ASCII-"lf" = 0x666C 204 0x0002 Word number of keys 205 0x0004 ???? Hash-Records 206 207 Hash-Record 208 =========== 209 Offset Size Contents 210 0x0000 D-Word Offset of corresponding "nk"-Record 211 0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitiv! 212 213 Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the 214 key-name you have to change the hash-value too! 215 216 //These hashrecords must be sorted low to high within the lf record. Nigel. 217 218 The "sk"-block 219 ============== 220 (due to the complexity of the SAM-info, not clear jet) 221 (This is just a self-relative security descriptor in the data. R Sharpe.) 222 223 224 Offset Size Contents 225 0x0000 Word ID: ASCII-"sk" = 0x6B73 226 0x0002 Word Unused 227 0x0004 D-Word Offset of previous "sk"-Record 228 0x0008 D-Word Offset of next "sk"-Record 229 0x000C D-Word usage-counter 230 0x0010 D-Word Size of "sk"-record in bytes 231 ???? //standard self 232 relative security desciptor. Nigel 233 ???? ???? Security and auditing settings... 234 ???? 235 236 The usage counter counts the number of references to this 237 "sk"-record. You can use one "sk"-record for the entire registry! 238 239 Windows nt date/time format 240 =========================== 241 The time-format is a 64-bit integer which is incremented every 242 0,0000001 seconds by 1 (I dont know how accurate it really is!) 243 It starts with 0 at the 1st of january 1601 0:00! All values are 244 stored in GMT time! The time-zone is important to get the real 245 time! 246 247 Common values for win95 and win-nt 248 ================================== 249 Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF). 250 If a value has no name (length=0, flag(bit 0)=0), it is treated as the 251 "Default" entry... 252 If a value has no data (length=0), it is displayed as empty. 253 254 simplyfied win-3.?? registry: 255 ============================= 256 257 +-----------+ 258 | next rec. |---+ +----->+------------+ 259 | first sub | | | | Usage cnt. | 260 | name | | +-->+------------+ | | length | 261 | value | | | | next rec. | | | text |------->+-------+ 262 +-----------+ | | | name rec. |--+ +------------+ | xxxxx | 263 +------------+ | | value rec. |-------->+------------+ +-------+ 264 v | +------------+ | Usage cnt. | 265 +-----------+ | | length | 266 | next rec. | | | text |------->+-------+ 267 | first sub |------+ +------------+ | xxxxx | 268 | name | +-------+ 269 | value | 270 +-----------+ 271 272 Greatly simplyfied structure of the nt-registry: 273 ================================================ 274 275 +---------------------------------------------------------------+ 276 | | 277 v | 278 +---------+ +---------->+-----------+ +----->+---------+ | 279 | "nk" | | | lf-rec. | | | nk-rec. | | 280 | ID | | | # of keys | | | parent |---+ 281 | Date | | | 1st key |--+ | .... | 282 | parent | | +-----------+ +---------+ 283 | suk-keys|-----+ 284 | values |--------------------->+----------+ 285 | SK-rec. |---------------+ | 1. value |--> +----------+ 286 | class |--+ | +----------+ | vk-rec. | 287 +---------+ | | | .... | 288 v | | data |--> +-------+ 289 +------------+ | +----------+ | xxxxx | 290 | Class name | | +-------+ 291 +------------+ | 292 v 293 +---------+ +---------+ 294 +----->| next sk |--->| Next sk |--+ 295 | +---| prev sk |<---| prev sk | | 296 | | | .... | | ... | | 297 | | +---------+ +---------+ | 298 | | ^ | 299 | | | | 300 | +--------------------+ | 301 +----------------------------------+ 302 303 --------------------------------------------------------------------------- 304 305 Hope this helps.... (Although it was *fun* for me to uncover this things, 306 it took me several sleepless nights ;) 307 308 B.D. 309 310 *************************************************************************/ 38 NOTE: the comments he refers to have been moved to doc/winntreg.txt 39 40 **************************************************************************/ 41 311 42 312 43 #include <stdio.h> … … 1154 885 unsigned short num_nulls; 1155 886 unsigned char* ascii; 1156 unsigned int ascii_max; 1157 int str_rem; 887 unsigned char* cur_str; 888 unsigned int cur_str_len; 889 unsigned int ascii_max, cur_str_max; 890 unsigned int str_rem, cur_str_rem, alen; 1158 891 1159 892 switch (type) … … 1216 949 case REG_TYPE_MULTISZ: 1217 950 ascii_max = sizeof(char)*len*4; 951 cur_str_max = sizeof(char)*len+1; 952 cur_str = malloc(cur_str_max); 1218 953 ascii = malloc(ascii_max+4); 1219 954 if(ascii == NULL) … … 1228 963 num_nulls = 0; 1229 964 str_rem = ascii_max; 1230 for(i=0; (i < len) && (num_nulls < 4) && str_rem > 0; i++) 965 cur_str_rem = cur_str_max; 966 cur_str_len = 0; 967 968 *asciip = '"'; 969 asciip +=1; 970 971 for(i=0; (i < len) && str_rem > 0; i++) 1231 972 { 1232 asciip += snprintf((char*)asciip, str_rem, "%02x ", 1233 *(unsigned char *)(datap+i)); 1234 str_rem -= 3; 1235 if(*(datap+i) == 0) 973 *(cur_str+cur_str_len) = *(datap+i); 974 if(*(cur_str+cur_str_len) == 0) 1236 975 num_nulls++; 1237 976 else 1238 977 num_nulls = 0; 1239 } 1240 *asciip = '\0'; 978 cur_str_len++; 979 980 if(num_nulls == 2) 981 { 982 uni_to_ascii(cur_str, asciip, str_rem, 0); 983 alen = strlen((char*)asciip); 984 asciip += alen; 985 str_rem -= alen; 986 if(*(datap+i+1) == 0 && *(datap+i+2) == 0) 987 break; 988 else 989 { 990 alen = snprintf((char*)asciip, str_rem, "%s", "\" \""); 991 asciip += alen; 992 str_rem -= alen; 993 memset(cur_str, 0, cur_str_max); 994 cur_str_len = 0; 995 num_nulls = 0; 996 /* To eliminate leading nulls in subsequent strings. */ 997 i++; 998 } 999 } 1000 } 1001 snprintf((char*)asciip, str_rem, "%s", "\""); 1241 1002 return ascii; 1242 1003 break; … … 2311 2072 fprintf(stderr, "\n\t-v\t sets verbose mode"); 2312 2073 fprintf(stderr, "\n\t-f\t a simple prefix filter."); 2313 fprintf(stderr, "\n\t-p\t prints the registry");2314 2074 fprintf(stderr, "\n\t-s\t prints security descriptors"); 2315 2075 fprintf(stderr, "\n"); … … 2408 2168 nt_key_iterator(regf, regf->root, 0, "", filter_prefix); 2409 2169 2410 /* XXX: debugging; remove me. */2411 printf("%d,%d,%d\n",2412 str_is_prefix("foo", "foobar"),2413 str_is_prefix("", "xyz"),2414 str_is_prefix("foo", "foo"));2415 2416 2170 return 0; 2417 2171 }
Note: See TracChangeset
for help on using the changeset viewer.