Changeset 77


Ignore:
Timestamp:
01/07/07 10:19:43 (18 years ago)
Author:
tim
Message:

Improved support for unknown registry types.

Fixed potential security issue.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/doc/devel/references.txt

    r76 r77  
    88  http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx
    99
     10- Registry key, value, and depth limits:
     11  http://msdn2.microsoft.com/en-us/library/ms724872.aspx
     12
    1013- Misc references for windows registry permissions and ownership:
    1114  http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
     
    1619  http://support.microsoft.com/kb/220167
    1720  http://msdn2.microsoft.com/en-us/library/aa772242.aspx
     21
     22- Info on SAM hive, syskey, and hash extraction (with tools bkhive and samdump2):
     23  http://www.studenti.unina.it/~ncuomo/syskey/
  • trunk/include/regfio.h

    r72 r77  
    8686#define VK_FLAG_NAME_PRESENT    0x0001
    8787#define VK_DATA_IN_OFFSET       0x80000000
     88#define VK_MAX_DATA_LENGTH      1024*1024
    8889
    8990/* NK record macros */
  • trunk/lib/regfio.c

    r76 r77  
    10851085
    10861086  data_size = ((start_off - end_off ) & 0xfffffff8 );
     1087  /* XXX: should probably print a warning here */
    10871088  /*if ( data_size !=  vk->rec_size )
    10881089    DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->rec_size));*/
  • trunk/src/reglookup.c

    r72 r77  
    179179 * value, and a non-NULL (*error_msg).
    180180 */
    181 static char* data_to_ascii(unsigned char *datap, int len, int type,
     181static char* data_to_ascii(unsigned char *datap, uint32 len, uint32 type,
    182182                           char** error_msg)
    183183{
     
    189189  char* tmp_err;
    190190  const char* str_type;
    191   unsigned int i;
    192   unsigned int cur_str_len;
    193   unsigned int ascii_max, cur_str_max;
    194   unsigned int str_rem, cur_str_rem, alen;
     191  uint32 i;
     192  uint32 cur_str_len;
     193  uint32 ascii_max, cur_str_max;
     194  uint32 str_rem, cur_str_rem, alen;
    195195  int ret_err;
    196196  unsigned short num_nulls;
     
    365365
    366366  /* XXX: Dont know what to do with these yet, just print as binary... */
     367  default:
     368    fprintf(stderr, "WARNING: Unrecognized registry data type (0x%.8X); quoting as binary.\n", type);
     369   
    367370  case REG_NONE:
    368371  case REG_RESOURCE_LIST:
     
    374377    break;
    375378  }
    376 
    377 
    378   /* Invalid type */
    379   *error_msg = (char*)malloc(33+11+1);
    380   if(*error_msg != NULL)
    381     sprintf(*error_msg, "Unrecognized registry data type: %d", type);
    382379
    383380  return NULL;
     
    483480void printValue(REGF_VK_REC* vk, char* prefix)
    484481{
    485   uint32 size;
    486   uint8 tmp_buf[4];
    487482  char* quoted_value = NULL;
    488483  char* quoted_name = NULL;
    489484  char* conv_error = NULL;
     485  const char* str_type = NULL;
     486  uint32 size;
     487  uint8 tmp_buf[4];
    490488
    491489  /* Thanks Microsoft for making this process so straight-forward!!! */
     
    498496    tmp_buf[3] = (uint8)(vk->data_off & 0xFF);
    499497    if(size > 4)
     498      /* XXX: should we kick out a warning here?  If it is in the
     499       *      offset and longer than four, file could be corrupt
     500       *      or malicious... */
    500501      size = 4;
    501502    quoted_value = data_to_ascii(tmp_buf, 4, vk->type, &conv_error);
     
    503504  else
    504505  {
    505     /* XXX: This is a safety hack.  No data fields have yet been found
    506      * larger, but length limits are probably better got from fields
    507      * in the registry itself, within reason.
     506    /* Microsoft's documentation indicates that "available memory" is
     507     * the limit on value sizes.  Annoying.  We limit it to 1M which
     508     * should rarely be exceeded, unless the file is corrupt or
     509     * malicious. For more info, see:
     510     *   http://msdn2.microsoft.com/en-us/library/ms724872.aspx
    508511     */
    509     if(size > 16384)
    510     {
    511       fprintf(stderr, "WARNING: key size %d larger than "
    512               "16384, truncating...\n", size);
    513       size = 16384;
     512    if(size > VK_MAX_DATA_LENGTH)
     513    {
     514      fprintf(stderr, "WARNING: value data size %d larger than "
     515              "%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
     516      size = VK_MAX_DATA_LENGTH;
    514517    }
    515518
     
    538541              "warning returned: %s\n", prefix, quoted_name, conv_error);
    539542
     543  str_type = regfio_type_val2str(vk->type);
    540544  if(print_security)
    541     printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
    542            regfio_type_val2str(vk->type), quoted_value);
     545  {
     546    if(str_type == NULL)
     547      printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
     548             vk->type, quoted_value);
     549    else
     550      printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
     551             str_type, quoted_value);
     552  }
    543553  else
    544     printf("%s/%s,%s,%s,\n", prefix, quoted_name,
    545            regfio_type_val2str(vk->type), quoted_value);
    546  
     554  {
     555    if(str_type == NULL)
     556      printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
     557             vk->type, quoted_value);
     558    else
     559      printf("%s/%s,%s,%s,\n", prefix, quoted_name,
     560             str_type, quoted_value);
     561  }
     562
    547563  if(quoted_value != NULL)
    548564    free(quoted_value);
Note: See TracChangeset for help on using the changeset viewer.