1 /* hivexsh - Hive shell.
2 * Copyright (C) 2009 Red Hat Inc.
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 #ifdef HAVE_LIBREADLINE
32 #include <readline/readline.h>
33 #include <readline/history.h>
38 #define _(str) dgettext(PACKAGE, (str))
39 //#define N_(str) dgettext(PACKAGE, (str))
45 #define STREQ(a,b) (strcmp((a),(b)) == 0)
46 #define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
47 #define STRNEQ(a,b) (strcmp((a),(b)) != 0)
48 //#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
49 //#define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
50 //#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
51 //#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
52 //#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
53 //#define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
61 static hive_h *h = NULL;
62 static char *prompt_string = NULL; /* Normal prompt string. */
63 static char *loaded = NULL; /* Basename of loaded file, if any. */
64 static hive_node_h cwd; /* Current node. */
65 static int open_flags = 0; /* Flags used when loading a hive file. */
67 static void usage (void) __attribute__((noreturn));
68 static void print_node_path (hive_node_h, FILE *);
69 static void set_prompt_string (void);
70 static void initialize_readline (void);
71 static void cleanup_readline (void);
72 static void add_history_line (const char *);
73 static char *rl_gets (const char *prompt_string);
74 static void sort_strings (char **strings, int len);
75 static int dispatch (char *cmd, char *args);
76 static int cmd_cd (char *path);
77 static int cmd_close (char *path);
78 static int cmd_help (char *args);
79 static int cmd_load (char *hivefile);
80 static int cmd_ls (char *args);
81 static int cmd_lsval (char *args);
86 fprintf (stderr, "hivexsh [-df] [hivefile]\n");
91 main (int argc, char *argv[])
93 setlocale (LC_ALL, "");
94 bindtextdomain (PACKAGE, LOCALEBASEDIR);
98 const char *filename = NULL;
100 set_prompt_string ();
102 while ((c = getopt (argc, argv, "df")) != EOF) {
105 open_flags |= HIVEX_OPEN_DEBUG;
116 if (optind + 1 != argc)
118 if (cmd_load (argv[optind]) == -1)
122 /* -f filename parameter */
125 if (open (filename, O_RDONLY) == -1) {
133 initialize_readline ();
138 "Welcome to hivexsh, the hivex interactive shell for examining\n"
139 "Windows Registry binary hive files.\n"
141 "Type: 'help' for help summary\n"
142 " 'quit' to quit the shell\n"
146 char *buf = rl_gets (prompt_string);
154 while (*buf && c_isspace (*buf))
157 /* Ignore blank line. */
160 /* If the next character is '#' then this is a comment. */
161 if (*buf == '#') continue;
163 /* Parsing is very simple - much simpler than guestfish. This is
164 * because Registry keys often contain spaces, and we don't want
165 * to bother with quoting. Therefore here we just split at the
166 * first whitespace into "cmd<whitespace>arg(s)". We let the
167 * command decide how to deal with arg(s), if at all.
169 size_t len = strcspn (buf, " \t");
171 if (len == 0) continue;
177 if (buf[len] == '\0') {
178 /* This is mostly safe. Although the cmd_* functions do sometimes
179 * modify args, then shouldn't do so when args is "".
186 args = buf + len + 1 + strspn (&buf[len+1], " \t");
189 while (len > 0 && c_isspace (args[len-1])) {
195 /*printf ("command: '%s' args: '%s'\n", cmd, args)*/;
196 int r = dispatch (cmd, args);
197 if (!is_tty && r == -1)
202 free (prompt_string);
204 if (h) hivex_close (h);
208 /* Set the prompt string. This is called whenever it could change, eg.
209 * after loading a file or changing directory.
212 set_prompt_string (void)
214 free (prompt_string);
215 prompt_string = NULL;
220 fp = open_memstream (&ptr, &size);
222 perror ("open_memstream");
227 assert (loaded != NULL);
231 print_node_path (cwd, fp);
239 /* Print the \full\path of a node. */
241 print_node_path (hive_node_h node, FILE *fp)
243 hive_node_h root = hivex_root (h);
250 hive_node_h parent = hivex_node_parent (h, node);
252 fprintf (stderr, _("hivexsh: error getting parent of node %zu\n"), node);
255 print_node_path (parent, fp);
260 char *name = hivex_node_name (h, node);
262 fprintf (stderr, _("hivexsh: error getting node name of node %zx\n"), node);
270 static char *line_read = NULL;
273 rl_gets (const char *prompt_string)
275 #ifdef HAVE_LIBREADLINE
283 line_read = readline (prompt_string);
285 if (line_read && *line_read)
286 add_history_line (line_read);
291 #endif /* HAVE_LIBREADLINE */
293 static char buf[8192];
297 printf ("%s", prompt_string);
298 line_read = fgets (buf, sizeof buf, stdin);
301 len = strlen (line_read);
302 if (len > 0 && buf[len-1] == '\n') buf[len-1] = '\0';
308 #ifdef HAVE_LIBREADLINE
309 static char histfile[1024];
310 static int nr_history_lines = 0;
314 initialize_readline (void)
316 #ifdef HAVE_LIBREADLINE
319 home = getenv ("HOME");
321 snprintf (histfile, sizeof histfile, "%s/.hivexsh", home);
323 (void) read_history (histfile);
326 rl_readline_name = "hivexsh";
331 cleanup_readline (void)
333 #ifdef HAVE_LIBREADLINE
336 if (histfile[0] != '\0') {
337 fd = open (histfile, O_WRONLY|O_CREAT, 0644);
344 (void) append_history (nr_history_lines, histfile);
350 add_history_line (const char *line)
352 #ifdef HAVE_LIBREADLINE
359 compare (const void *vp1, const void *vp2)
361 char * const *p1 = (char * const *) vp1;
362 char * const *p2 = (char * const *) vp2;
363 return strcasecmp (*p1, *p2);
367 sort_strings (char **strings, int len)
369 qsort (strings, len, sizeof (char *), compare);
373 dispatch (char *cmd, char *args)
375 if (STRCASEEQ (cmd, "help"))
376 return cmd_help (args);
377 else if (STRCASEEQ (cmd, "load"))
378 return cmd_load (args);
379 else if (STRCASEEQ (cmd, "exit") ||
380 STRCASEEQ (cmd, "q") ||
381 STRCASEEQ (cmd, "quit")) {
386 /* If no hive file is loaded (!h) then only the small selection of
387 * commands above will work.
390 fprintf (stderr, _("hivexsh: you must load a hive file first using 'load hivefile'\n"));
394 if (STRCASEEQ (cmd, "cd"))
395 return cmd_cd (args);
396 else if (STRCASEEQ (cmd, "close") || STRCASEEQ (cmd, "unload"))
397 return cmd_close (args);
398 else if (STRCASEEQ (cmd, "ls"))
399 return cmd_ls (args);
400 else if (STRCASEEQ (cmd, "lsval"))
401 return cmd_lsval (args);
403 fprintf (stderr, _("hivexsh: unknown command '%s', use 'help' for help summary\n"),
410 cmd_load (char *hivefile)
412 if (STREQ (hivefile, "")) {
413 fprintf (stderr, _("hivexsh: load: no hive file name given to load\n"));
417 if (h) hivex_close (h);
425 h = hivex_open (hivefile, open_flags);
429 "hivexsh: failed to open hive file: %s: %m\n"
431 "If you think this file is a valid Windows binary hive file (_not_\n"
432 "a regedit *.reg file) then please run this command again using the\n"
433 "hivexsh option '-d' and attach the complete output _and_ the hive file\n"
434 "which fails into a bug report at https://bugzilla.redhat.com/\n"
440 /* Get the basename of the file for the prompt. */
441 char *p = strrchr (hivefile, '/');
443 loaded = strdup (p+1);
445 loaded = strdup (hivefile);
451 cwd = hivex_root (h);
453 set_prompt_string ();
459 cmd_close (char *args)
461 if (STRNEQ (args, "")) {
462 fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
467 if (h) hivex_close (h);
475 set_prompt_string ();
483 if (STREQ (path, "")) {
484 print_node_path (cwd, stdout);
485 fputc ('\n', stdout);
489 if (path[0] == '\\' && path[1] == '\\') {
490 fprintf (stderr, _("%s: %s: \\ characters in path are doubled - are you escaping the path parameter correctly?\n"), "hivexsh", path);
494 hive_node_h new_cwd = cwd;
495 hive_node_h root = hivex_root (h);
497 if (path[0] == '\\') {
503 size_t len = strcspn (path, "\\");
510 path = path[len] == '\0' ? &path[len] : &path[len+1];
513 if (len == 1 && STREQ (elem, "."))
516 if (len == 2 && STREQ (elem, "..")) {
518 new_cwd = hivex_node_parent (h, new_cwd);
522 new_cwd = hivex_node_get_child (h, new_cwd, elem);
524 fprintf (stderr, _("hivexsh: cd: subkey '%s' not found\n"),
530 if (new_cwd != cwd) {
532 set_prompt_string ();
539 cmd_help (char *args)
542 "Navigate through the hive's keys using the 'cd' command, as if it\n"
543 "contained a filesystem, and use 'ls' to list the subkeys of the\n"
544 "current key. Full documentation is in the hivexsh(1) manual page.\n"));
552 if (STRNEQ (args, "")) {
553 fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
558 /* Get the subkeys. */
559 hive_node_h *children = hivex_node_children (h, cwd);
560 if (children == NULL) {
565 /* Get names for each subkey. */
567 for (len = 0; children[len] != 0; ++len)
570 char **names = calloc (len, sizeof (char *));
578 for (i = 0; i < len; ++i) {
579 names[i] = hivex_node_name (h, children[i]);
580 if (names[i] == NULL) {
581 perror ("hivex_node_name");
586 /* Sort the names. */
587 sort_strings (names, len);
589 for (i = 0; i < len; ++i)
590 printf ("%s\n", names[i]);
595 for (i = 0; i < len; ++i)
602 cmd_lsval (char *key)
604 if (STRNEQ (key, "")) {
608 if (STREQ (key, "@")) /* default key written as "@" */
609 value = hivex_node_get_value (h, cwd, "");
611 value = hivex_node_get_value (h, cwd, key);
616 /* else key not found */
617 fprintf (stderr, _("%s: %s: key not found\n"), "hivexsh", key);
621 /* Print the value. */
624 if (hivex_value_type (h, value, &t, &len) == -1)
629 case hive_t_expand_string:
631 char *str = hivex_value_string (h, value);
635 puts (str); /* note: this adds a single \n character */
641 case hive_t_dword_be: {
642 int32_t j = hivex_value_dword (h, value);
643 printf ("%" PRIi32 "\n", j);
648 int64_t j = hivex_value_qword (h, value);
649 printf ("%" PRIi64 "\n", j);
653 case hive_t_multiple_strings: {
654 char **strs = hivex_value_multiple_strings (h, value);
658 for (j = 0; strs[j] != NULL; ++j) {
668 case hive_t_resource_list:
669 case hive_t_full_resource_description:
670 case hive_t_resource_requirements_list:
672 char *data = hivex_value_value (h, value, &t, &len);
676 if (fwrite (data, 1, len, stdout) != len)
684 /* No key specified, so print all keys in this node. We do this
685 * in a format which looks like the output of regedit, although
686 * this isn't a particularly useful format.
688 hive_value_h *values;
690 values = hivex_node_values (h, cwd);
695 for (i = 0; values[i] != 0; ++i) {
696 char *key = hivex_value_key (h, values[i]);
697 if (!key) goto error;
702 for (j = 0; key[j] != 0; ++j) {
703 if (key[j] == '"' || key[j] == '\\')
709 printf ("\"@\""); /* default key in regedit files */
715 if (hivex_value_type (h, values[i], &t, &len) == -1)
720 case hive_t_expand_string:
722 char *str = hivex_value_string (h, values[i]);
726 if (t != hive_t_string)
727 printf ("str(%d):", t);
730 for (j = 0; str[j] != 0; ++j) {
731 if (str[j] == '"' || str[j] == '\\')
741 case hive_t_dword_be: {
742 int32_t j = hivex_value_dword (h, values[i]);
743 printf ("dword:%08" PRIx32 "\"", j);
747 case hive_t_qword: /* sic */
750 case hive_t_multiple_strings:
751 case hive_t_resource_list:
752 case hive_t_full_resource_description:
753 case hive_t_resource_requirements_list:
755 char *data = hivex_value_value (h, values[i], &t, &len);
759 printf ("hex(%d):", t);
761 for (j = 0; j < len; ++j) {
764 printf ("%02x", data[j]);
779 perror ("hivexsh: lsval");