Changeset 77 for trunk

Timestamp:

01/07/07 10:19:43 (17 years ago)

Author:

tim

Message:

Improved support for unknown registry types.

Fixed potential security issue.

Location:

trunk

Files:

• doc/devel/references.txt (modified) (2 diffs)
• include/regfio.h (modified) (1 diff)
• lib/regfio.c (modified) (1 diff)
• src/reglookup.c (modified) (8 diffs)

trunk/doc/devel/references.txt

@@ -8 +8 @@
   http://www.microsoft.com/technet/archive/winntas/tips/winntmag/inreg.mspx
 
+- Registry key, value, and depth limits:
+  http://msdn2.microsoft.com/en-us/library/ms724872.aspx
+
 - Misc references for windows registry permissions and ownership:
   http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
@@ -16 +19 @@
   http://support.microsoft.com/kb/220167
   http://msdn2.microsoft.com/en-us/library/aa772242.aspx
+
+- Info on SAM hive, syskey, and hash extraction (with tools bkhive and samdump2):
+  http://www.studenti.unina.it/~ncuomo/syskey/

trunk/include/regfio.h

@@ -86 +86 @@
 #define VK_FLAG_NAME_PRESENT    0x0001
 #define VK_DATA_IN_OFFSET       0x80000000
+#define VK_MAX_DATA_LENGTH      1024*1024
 
 /* NK record macros */

trunk/lib/regfio.c

@@ -1085 +1085 @@
 
   data_size = ((start_off - end_off ) & 0xfffffff8 );
+  /* XXX: should probably print a warning here */
   /*if ( data_size !=  vk->rec_size )
     DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->rec_size));*/

trunk/src/reglookup.c

@@ -179 +179 @@
  * value, and a non-NULL (*error_msg).
  */
-static char* data_to_ascii(unsigned char *datap, int len, int type, 
+static char* data_to_ascii(unsigned char *datap, uint32 len, uint32 type, 
                            char** error_msg)
 {
@@ -189 +189 @@
   char* tmp_err;
   const char* str_type;
-  unsigned int i;
-  unsigned int cur_str_len;
-  unsigned int ascii_max, cur_str_max;
-  unsigned int str_rem, cur_str_rem, alen;
+  uint32 i;
+  uint32 cur_str_len;
+  uint32 ascii_max, cur_str_max;
+  uint32 str_rem, cur_str_rem, alen;
   int ret_err;
   unsigned short num_nulls;
@@ -365 +365 @@
 
   /* XXX: Dont know what to do with these yet, just print as binary... */
+  default:
+    fprintf(stderr, "WARNING: Unrecognized registry data type (0x%.8X); quoting as binary.\n", type);
+    
   case REG_NONE:
   case REG_RESOURCE_LIST:
@@ -374 +377 @@
     break;
   }
-
-
-  /* Invalid type */
-  *error_msg = (char*)malloc(33+11+1);
-  if(*error_msg != NULL)
-    sprintf(*error_msg, "Unrecognized registry data type: %d", type);
 
   return NULL;
@@ -483 +480 @@
 void printValue(REGF_VK_REC* vk, char* prefix)
 {
-  uint32 size;
-  uint8 tmp_buf[4];
   char* quoted_value = NULL;
   char* quoted_name = NULL;
   char* conv_error = NULL;
+  const char* str_type = NULL;
+  uint32 size;
+  uint8 tmp_buf[4];
 
   /* Thanks Microsoft for making this process so straight-forward!!! */
@@ -498 +496 @@
     tmp_buf[3] = (uint8)(vk->data_off & 0xFF);
     if(size > 4)
+      /* XXX: should we kick out a warning here?  If it is in the 
+       *      offset and longer than four, file could be corrupt 
+       *      or malicious... */
       size = 4;
     quoted_value = data_to_ascii(tmp_buf, 4, vk->type, &conv_error);
@@ -503 +504 @@
   else
   {
-    /* XXX: This is a safety hack.  No data fields have yet been found
-     * larger, but length limits are probably better got from fields
-     * in the registry itself, within reason.
+    /* Microsoft's documentation indicates that "available memory" is 
+     * the limit on value sizes.  Annoying.  We limit it to 1M which 
+     * should rarely be exceeded, unless the file is corrupt or 
+     * malicious. For more info, see:
+     *   http://msdn2.microsoft.com/en-us/library/ms724872.aspx
      */
-    if(size > 16384)
-    {
-      fprintf(stderr, "WARNING: key size %d larger than "
-              "16384, truncating...\n", size);
-      size = 16384;
+    if(size > VK_MAX_DATA_LENGTH)
+    {
+      fprintf(stderr, "WARNING: value data size %d larger than "
+              "%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
+      size = VK_MAX_DATA_LENGTH;
     }
 
@@ -538 +541 @@
               "warning returned: %s\n", prefix, quoted_name, conv_error);
 
+  str_type = regfio_type_val2str(vk->type);
   if(print_security)
-    printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
-           regfio_type_val2str(vk->type), quoted_value);
+  {
+    if(str_type == NULL)
+      printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
+             vk->type, quoted_value);
+    else
+      printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
+             str_type, quoted_value);
+  }
   else
-    printf("%s/%s,%s,%s,\n", prefix, quoted_name,
-           regfio_type_val2str(vk->type), quoted_value);
-  
+  {
+    if(str_type == NULL)
+      printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
+             vk->type, quoted_value);
+    else
+      printf("%s/%s,%s,%s,\n", prefix, quoted_name,
+             str_type, quoted_value);
+  }
+
   if(quoted_value != NULL)
     free(quoted_value);