Changeset 77
- Timestamp:
- 01/07/07 10:19:43 (18 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/doc/devel/references.txt
r76 r77 8 8 http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx 9 9 10 - Registry key, value, and depth limits: 11 http://msdn2.microsoft.com/en-us/library/ms724872.aspx 12 10 13 - Misc references for windows registry permissions and ownership: 11 14 http://msdn2.microsoft.com/en-gb/library/ms724878.aspx … … 16 19 http://support.microsoft.com/kb/220167 17 20 http://msdn2.microsoft.com/en-us/library/aa772242.aspx 21 22 - Info on SAM hive, syskey, and hash extraction (with tools bkhive and samdump2): 23 http://www.studenti.unina.it/~ncuomo/syskey/ -
trunk/include/regfio.h
r72 r77 86 86 #define VK_FLAG_NAME_PRESENT 0x0001 87 87 #define VK_DATA_IN_OFFSET 0x80000000 88 #define VK_MAX_DATA_LENGTH 1024*1024 88 89 89 90 /* NK record macros */ -
trunk/lib/regfio.c
r76 r77 1085 1085 1086 1086 data_size = ((start_off - end_off ) & 0xfffffff8 ); 1087 /* XXX: should probably print a warning here */ 1087 1088 /*if ( data_size != vk->rec_size ) 1088 1089 DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->rec_size));*/ -
trunk/src/reglookup.c
r72 r77 179 179 * value, and a non-NULL (*error_msg). 180 180 */ 181 static char* data_to_ascii(unsigned char *datap, int len, inttype,181 static char* data_to_ascii(unsigned char *datap, uint32 len, uint32 type, 182 182 char** error_msg) 183 183 { … … 189 189 char* tmp_err; 190 190 const char* str_type; 191 u nsigned inti;192 u nsigned intcur_str_len;193 u nsigned intascii_max, cur_str_max;194 u nsigned intstr_rem, cur_str_rem, alen;191 uint32 i; 192 uint32 cur_str_len; 193 uint32 ascii_max, cur_str_max; 194 uint32 str_rem, cur_str_rem, alen; 195 195 int ret_err; 196 196 unsigned short num_nulls; … … 365 365 366 366 /* XXX: Dont know what to do with these yet, just print as binary... */ 367 default: 368 fprintf(stderr, "WARNING: Unrecognized registry data type (0x%.8X); quoting as binary.\n", type); 369 367 370 case REG_NONE: 368 371 case REG_RESOURCE_LIST: … … 374 377 break; 375 378 } 376 377 378 /* Invalid type */379 *error_msg = (char*)malloc(33+11+1);380 if(*error_msg != NULL)381 sprintf(*error_msg, "Unrecognized registry data type: %d", type);382 379 383 380 return NULL; … … 483 480 void printValue(REGF_VK_REC* vk, char* prefix) 484 481 { 485 uint32 size;486 uint8 tmp_buf[4];487 482 char* quoted_value = NULL; 488 483 char* quoted_name = NULL; 489 484 char* conv_error = NULL; 485 const char* str_type = NULL; 486 uint32 size; 487 uint8 tmp_buf[4]; 490 488 491 489 /* Thanks Microsoft for making this process so straight-forward!!! */ … … 498 496 tmp_buf[3] = (uint8)(vk->data_off & 0xFF); 499 497 if(size > 4) 498 /* XXX: should we kick out a warning here? If it is in the 499 * offset and longer than four, file could be corrupt 500 * or malicious... */ 500 501 size = 4; 501 502 quoted_value = data_to_ascii(tmp_buf, 4, vk->type, &conv_error); … … 503 504 else 504 505 { 505 /* XXX: This is a safety hack. No data fields have yet been found 506 * larger, but length limits are probably better got from fields 507 * in the registry itself, within reason. 506 /* Microsoft's documentation indicates that "available memory" is 507 * the limit on value sizes. Annoying. We limit it to 1M which 508 * should rarely be exceeded, unless the file is corrupt or 509 * malicious. For more info, see: 510 * http://msdn2.microsoft.com/en-us/library/ms724872.aspx 508 511 */ 509 if(size > 16384)510 { 511 fprintf(stderr, "WARNING: keysize %d larger than "512 " 16384, truncating...\n", size);513 size = 16384;512 if(size > VK_MAX_DATA_LENGTH) 513 { 514 fprintf(stderr, "WARNING: value data size %d larger than " 515 "%d, truncating...\n", size, VK_MAX_DATA_LENGTH); 516 size = VK_MAX_DATA_LENGTH; 514 517 } 515 518 … … 538 541 "warning returned: %s\n", prefix, quoted_name, conv_error); 539 542 543 str_type = regfio_type_val2str(vk->type); 540 544 if(print_security) 541 printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name, 542 regfio_type_val2str(vk->type), quoted_value); 545 { 546 if(str_type == NULL) 547 printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name, 548 vk->type, quoted_value); 549 else 550 printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name, 551 str_type, quoted_value); 552 } 543 553 else 544 printf("%s/%s,%s,%s,\n", prefix, quoted_name, 545 regfio_type_val2str(vk->type), quoted_value); 546 554 { 555 if(str_type == NULL) 556 printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name, 557 vk->type, quoted_value); 558 else 559 printf("%s/%s,%s,%s,\n", prefix, quoted_name, 560 str_type, quoted_value); 561 } 562 547 563 if(quoted_value != NULL) 548 564 free(quoted_value);
Note: See TracChangeset
for help on using the changeset viewer.