1 /* hivexsh - Hive shell.
2 * Copyright (C) 2009 Red Hat Inc.
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License along
15 * with this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
36 #ifdef HAVE_LIBREADLINE
37 #include <readline/readline.h>
38 #include <readline/history.h>
43 #define _(str) dgettext(PACKAGE, (str))
44 //#define N_(str) dgettext(PACKAGE, (str))
50 #define STREQ(a,b) (strcmp((a),(b)) == 0)
51 #define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
52 #define STRNEQ(a,b) (strcmp((a),(b)) != 0)
53 //#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
54 //#define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
55 //#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
56 //#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
57 //#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
58 #define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
64 #include "byte_conversions.h"
66 #define HIVEX_MAX_VALUES 1000
70 static hive_h *h = NULL;
71 static char *prompt_string = NULL; /* Normal prompt string. */
72 static char *loaded = NULL; /* Basename of loaded file, if any. */
73 static hive_node_h cwd; /* Current node. */
74 static int open_flags = 0; /* Flags used when loading a hive file. */
76 static void usage (void) __attribute__((noreturn));
77 static void print_node_path (hive_node_h, FILE *);
78 static void set_prompt_string (void);
79 static void initialize_readline (void);
80 static void cleanup_readline (void);
81 static void add_history_line (const char *);
82 static char *rl_gets (const char *prompt_string);
83 static void sort_strings (char **strings, int len);
84 static int get_xdigit (char c);
85 static int dispatch (char *cmd, char *args);
86 static int cmd_add (char *name);
87 static int cmd_cd (char *path);
88 static int cmd_close (char *path);
89 static int cmd_commit (char *path);
90 static int cmd_del (char *args);
91 static int cmd_help (char *args);
92 static int cmd_load (char *hivefile);
93 static int cmd_ls (char *args);
94 static int cmd_lsval (char *args);
95 static int cmd_setval (char *args);
100 fprintf (stderr, "hivexsh [-dfw] [hivefile]\n");
105 main (int argc, char *argv[])
107 setlocale (LC_ALL, "");
108 #ifdef HAVE_BINDTEXTDOMAIN
109 bindtextdomain (PACKAGE, LOCALEBASEDIR);
110 textdomain (PACKAGE);
114 const char *filename = NULL;
116 set_prompt_string ();
118 while ((c = getopt (argc, argv, "df:w")) != EOF) {
121 open_flags |= HIVEX_OPEN_DEBUG;
127 open_flags |= HIVEX_OPEN_WRITE;
135 if (optind + 1 != argc)
137 if (cmd_load (argv[optind]) == -1)
141 /* -f filename parameter */
144 if (open (filename, O_RDONLY) == -1) {
152 initialize_readline ();
157 "Welcome to hivexsh, the hivex interactive shell for examining\n"
158 "Windows Registry binary hive files.\n"
160 "Type: 'help' for help summary\n"
161 " 'quit' to quit the shell\n"
165 char *buf = rl_gets (prompt_string);
173 while (*buf && c_isspace (*buf))
176 /* Ignore blank line. */
179 /* If the next character is '#' then this is a comment. */
180 if (*buf == '#') continue;
182 /* Parsing is very simple - much simpler than guestfish. This is
183 * because Registry keys often contain spaces, and we don't want
184 * to bother with quoting. Therefore here we just split at the
185 * first whitespace into "cmd<whitespace>arg(s)". We let the
186 * command decide how to deal with arg(s), if at all.
188 size_t len = strcspn (buf, " \t");
190 if (len == 0) continue;
195 if (buf[len] == '\0') {
196 /* This is mostly safe. Although the cmd_* functions do sometimes
197 * modify args, then shouldn't do so when args is "".
204 args = buf + len + 1 + strspn (&buf[len+1], " \t");
207 while (len > 0 && c_isspace (args[len-1])) {
213 /*printf ("command: '%s' args: '%s'\n", cmd, args)*/;
214 int r = dispatch (cmd, args);
215 if (!is_tty && r == -1)
220 free (prompt_string);
222 if (h) hivex_close (h);
226 /* Set the prompt string. This is called whenever it could change, eg.
227 * after loading a file or changing directory.
230 set_prompt_string (void)
232 free (prompt_string);
233 prompt_string = NULL;
238 fp = open_memstream (&ptr, &size);
240 perror ("open_memstream");
245 assert (loaded != NULL);
249 print_node_path (cwd, fp);
257 /* Print the \full\path of a node. */
259 print_node_path (hive_node_h node, FILE *fp)
261 hive_node_h root = hivex_root (h);
268 hive_node_h parent = hivex_node_parent (h, node);
270 fprintf (stderr, _("hivexsh: error getting parent of node %zu\n"), node);
273 print_node_path (parent, fp);
278 char *name = hivex_node_name (h, node);
280 fprintf (stderr, _("hivexsh: error getting node name of node %zx\n"), node);
288 static char *line_read = NULL;
291 rl_gets (const char *prompt_string)
293 #ifdef HAVE_LIBREADLINE
301 line_read = readline (prompt_string);
303 if (line_read && *line_read)
304 add_history_line (line_read);
309 #endif /* HAVE_LIBREADLINE */
311 static char buf[8192];
315 printf ("%s", prompt_string);
316 line_read = fgets (buf, sizeof buf, stdin);
319 len = strlen (line_read);
320 if (len > 0 && buf[len-1] == '\n') buf[len-1] = '\0';
326 #ifdef HAVE_LIBREADLINE
327 static char histfile[1024];
328 static int nr_history_lines = 0;
332 initialize_readline (void)
334 #ifdef HAVE_LIBREADLINE
337 home = getenv ("HOME");
339 snprintf (histfile, sizeof histfile, "%s/.hivexsh", home);
341 (void) read_history (histfile);
344 rl_readline_name = "hivexsh";
349 cleanup_readline (void)
351 #ifdef HAVE_LIBREADLINE
354 if (histfile[0] != '\0') {
355 fd = open (histfile, O_WRONLY|O_CREAT, 0644);
362 (void) append_history (nr_history_lines, histfile);
368 add_history_line (const char *line)
370 #ifdef HAVE_LIBREADLINE
377 compare (const void *vp1, const void *vp2)
379 char * const *p1 = (char * const *) vp1;
380 char * const *p2 = (char * const *) vp2;
381 return strcasecmp (*p1, *p2);
385 sort_strings (char **strings, int len)
387 qsort (strings, len, sizeof (char *), compare);
394 case '0'...'9': return c - '0';
395 case 'a'...'f': return c - 'a' + 10;
396 case 'A'...'F': return c - 'A' + 10;
402 dispatch (char *cmd, char *args)
404 if (STRCASEEQ (cmd, "help"))
405 return cmd_help (args);
406 else if (STRCASEEQ (cmd, "load"))
407 return cmd_load (args);
408 else if (STRCASEEQ (cmd, "exit") ||
409 STRCASEEQ (cmd, "q") ||
410 STRCASEEQ (cmd, "quit")) {
415 /* If no hive file is loaded (!h) then only the small selection of
416 * commands above will work.
419 fprintf (stderr, _("hivexsh: you must load a hive file first using 'load hivefile'\n"));
423 if (STRCASEEQ (cmd, "add"))
424 return cmd_add (args);
425 else if (STRCASEEQ (cmd, "cd"))
426 return cmd_cd (args);
427 else if (STRCASEEQ (cmd, "close") || STRCASEEQ (cmd, "unload"))
428 return cmd_close (args);
429 else if (STRCASEEQ (cmd, "commit"))
430 return cmd_commit (args);
431 else if (STRCASEEQ (cmd, "del"))
432 return cmd_del (args);
433 else if (STRCASEEQ (cmd, "ls"))
434 return cmd_ls (args);
435 else if (STRCASEEQ (cmd, "lsval"))
436 return cmd_lsval (args);
437 else if (STRCASEEQ (cmd, "setval"))
438 return cmd_setval (args);
440 fprintf (stderr, _("hivexsh: unknown command '%s', use 'help' for help summary\n"),
447 cmd_load (char *hivefile)
449 if (STREQ (hivefile, "")) {
450 fprintf (stderr, _("hivexsh: load: no hive file name given to load\n"));
454 if (h) hivex_close (h);
462 h = hivex_open (hivefile, open_flags);
466 "hivexsh: failed to open hive file: %s: %m\n"
468 "If you think this file is a valid Windows binary hive file (_not_\n"
469 "a regedit *.reg file) then please run this command again using the\n"
470 "hivexsh option '-d' and attach the complete output _and_ the hive file\n"
471 "which fails into a bug report at https://bugzilla.redhat.com/\n"
477 /* Get the basename of the file for the prompt. */
478 char *p = strrchr (hivefile, '/');
480 loaded = strdup (p+1);
482 loaded = strdup (hivefile);
488 cwd = hivex_root (h);
490 set_prompt_string ();
496 cmd_close (char *args)
498 if (STRNEQ (args, "")) {
499 fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
504 if (h) hivex_close (h);
512 set_prompt_string ();
518 cmd_commit (char *path)
520 if (STREQ (path, ""))
523 if (hivex_commit (h, path, 0) == -1) {
524 perror ("hivexsh: commit");
534 if (STREQ (path, "")) {
535 print_node_path (cwd, stdout);
536 fputc ('\n', stdout);
540 if (path[0] == '\\' && path[1] == '\\') {
541 fprintf (stderr, _("%s: %s: \\ characters in path are doubled - are you escaping the path parameter correctly?\n"), "hivexsh", path);
545 hive_node_h new_cwd = cwd;
546 hive_node_h root = hivex_root (h);
548 if (path[0] == '\\') {
554 size_t len = strcspn (path, "\\");
561 path = path[len] == '\0' ? &path[len] : &path[len+1];
564 if (len == 1 && STREQ (elem, "."))
567 if (len == 2 && STREQ (elem, "..")) {
569 new_cwd = hivex_node_parent (h, new_cwd);
574 new_cwd = hivex_node_get_child (h, new_cwd, elem);
577 perror ("hivexsh: cd");
579 fprintf (stderr, _("hivexsh: cd: subkey '%s' not found\n"),
585 if (new_cwd != cwd) {
587 set_prompt_string ();
594 cmd_help (char *args)
597 "Navigate through the hive's keys using the 'cd' command, as if it\n"
598 "contained a filesystem, and use 'ls' to list the subkeys of the\n"
599 "current key. Full documentation is in the hivexsh(1) manual page.\n"));
607 if (STRNEQ (args, "")) {
608 fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
613 /* Get the subkeys. */
614 hive_node_h *children = hivex_node_children (h, cwd);
615 if (children == NULL) {
620 /* Get names for each subkey. */
622 for (len = 0; children[len] != 0; ++len)
625 char **names = calloc (len, sizeof (char *));
633 for (i = 0; i < len; ++i) {
634 names[i] = hivex_node_name (h, children[i]);
635 if (names[i] == NULL) {
636 perror ("hivex_node_name");
641 /* Sort the names. */
642 sort_strings (names, len);
644 for (i = 0; i < len; ++i)
645 printf ("%s\n", names[i]);
650 for (i = 0; i < len; ++i)
657 cmd_lsval (char *key)
659 if (STRNEQ (key, "")) {
663 if (STREQ (key, "@")) /* default key written as "@" */
664 value = hivex_node_get_value (h, cwd, "");
666 value = hivex_node_get_value (h, cwd, key);
671 /* else key not found */
672 fprintf (stderr, _("%s: %s: key not found\n"), "hivexsh", key);
676 /* Print the value. */
679 if (hivex_value_type (h, value, &t, &len) == -1)
684 case hive_t_expand_string:
686 char *str = hivex_value_string (h, value);
690 puts (str); /* note: this adds a single \n character */
696 case hive_t_dword_be: {
697 int32_t j = hivex_value_dword (h, value);
698 printf ("%" PRIi32 "\n", j);
703 int64_t j = hivex_value_qword (h, value);
704 printf ("%" PRIi64 "\n", j);
708 case hive_t_multiple_strings: {
709 char **strs = hivex_value_multiple_strings (h, value);
713 for (j = 0; strs[j] != NULL; ++j) {
723 case hive_t_resource_list:
724 case hive_t_full_resource_description:
725 case hive_t_resource_requirements_list:
727 char *data = hivex_value_value (h, value, &t, &len);
731 if (fwrite (data, 1, len, stdout) != len)
739 /* No key specified, so print all keys in this node. We do this
740 * in a format which looks like the output of regedit, although
741 * this isn't a particularly useful format.
743 hive_value_h *values;
745 values = hivex_node_values (h, cwd);
750 for (i = 0; values[i] != 0; ++i) {
751 char *key = hivex_value_key (h, values[i]);
752 if (!key) goto error;
757 for (j = 0; key[j] != 0; ++j) {
758 if (key[j] == '"' || key[j] == '\\')
764 printf ("\"@\""); /* default key in regedit files */
770 if (hivex_value_type (h, values[i], &t, &len) == -1)
775 case hive_t_expand_string:
777 char *str = hivex_value_string (h, values[i]);
781 if (t != hive_t_string)
782 printf ("str(%d):", t);
785 for (j = 0; str[j] != 0; ++j) {
786 if (str[j] == '"' || str[j] == '\\')
796 case hive_t_dword_be: {
797 int32_t j = hivex_value_dword (h, values[i]);
798 printf ("dword:%08" PRIx32, j);
802 case hive_t_qword: /* sic */
805 case hive_t_multiple_strings:
806 case hive_t_resource_list:
807 case hive_t_full_resource_description:
808 case hive_t_resource_requirements_list:
810 unsigned char *data =
811 (unsigned char *) hivex_value_value (h, values[i], &t, &len);
815 printf ("hex(%d):", t);
817 for (j = 0; j < len; ++j) {
820 printf ("%02x", data[j]);
835 perror ("hivexsh: lsval");
840 cmd_setval (char *nrvals_str)
844 /* Parse number of values. */
846 xerr = xstrtol (nrvals_str, NULL, 0, &nrvals, "");
847 if (xerr != LONGINT_OK) {
848 fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
849 "setval", "nrvals", "xstrtol", xerr);
852 if (nrvals < 0 || nrvals > HIVEX_MAX_VALUES) {
853 fprintf (stderr, _("%s: %s: integer out of range\n"),
858 struct hive_set_value *values =
859 calloc (nrvals, sizeof (struct hive_set_value));
860 if (values == NULL) {
867 /* Read nrvals * 2 lines of input, nrvals * (key, value) pairs, as
868 * explained in the man page.
871 for (i = 0; i < nrvals; ++i) {
873 char *buf = rl_gets (" key> ");
875 fprintf (stderr, _("hivexsh: setval: unexpected end of input\n"));
880 /* Note that buf will be overwritten by the next call to rl_gets. */
881 if (STREQ (buf, "@"))
882 values[i].key = strdup ("");
884 values[i].key = strdup (buf);
885 if (values[i].key == NULL) {
891 buf = rl_gets ("value> ");
893 fprintf (stderr, _("hivexsh: setval: unexpected end of input\n"));
898 if (STREQ (buf, "none")) {
899 values[i].t = hive_t_none;
902 else if (STRPREFIX (buf, "string:")) {
904 values[i].t = hive_t_string;
905 int nr_chars = strlen (buf);
906 values[i].len = 2 * (nr_chars + 1);
907 values[i].value = malloc (values[i].len);
908 if (!values[i].value) {
912 for (j = 0; j <= /* sic */ nr_chars; ++j) {
914 fprintf (stderr, _("hivexsh: string(utf16le): only 7 bit ASCII strings are supported for input\n"));
917 values[i].value[2*j] = buf[j];
918 values[i].value[2*j+1] = '\0';
921 else if (STRPREFIX (buf, "expandstring:")) {
923 values[i].t = hive_t_expand_string;
924 int nr_chars = strlen (buf);
925 values[i].len = 2 * (nr_chars + 1);
926 values[i].value = malloc (values[i].len);
927 if (!values[i].value) {
931 for (j = 0; j <= /* sic */ nr_chars; ++j) {
933 fprintf (stderr, _("hivexsh: string(utf16le): only 7 bit ASCII strings are supported for input\n"));
936 values[i].value[2*j] = buf[j];
937 values[i].value[2*j+1] = '\0';
940 else if (STRPREFIX (buf, "dword:")) {
942 values[i].t = hive_t_dword;
944 values[i].value = malloc (4);
945 if (!values[i].value) {
950 xerr = xstrtol (buf, NULL, 0, &n, "");
951 if (xerr != LONGINT_OK) {
952 fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
953 "setval", "dword", "xstrtol", xerr);
957 if (n < 0 || n > UINT32_MAX) {
958 fprintf (stderr, _("%s: %s: integer out of range\n"),
963 uint32_t u32 = htole32 (n);
964 memcpy (values[i].value, &u32, 4);
966 else if (STRPREFIX (buf, "qword:")) {
968 values[i].t = hive_t_qword;
970 values[i].value = malloc (8);
971 if (!values[i].value) {
976 xerr = xstrtoll (buf, NULL, 0, &n, "");
977 if (xerr != LONGINT_OK) {
978 fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
979 "setval", "dword", "xstrtoll", xerr);
983 if (n < 0 || n > UINT64_MAX) {
984 fprintf (stderr, _("%s: %s: integer out of range\n"),
989 uint64_t u64 = htole64 (n);
990 memcpy (values[i].value, &u64, 4);
992 else if (STRPREFIX (buf, "hex:")) {
995 size_t len = strcspn (buf, ":");
997 if (buf[len] == '\0') /* "hex:t" */
999 else { /* "hex:t:..." */
1001 nextbuf = &buf[len+1];
1005 xerr = xstrtol (buf, NULL, 0, &t, "");
1006 if (xerr != LONGINT_OK) {
1007 fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
1008 "setval", "hex", "xstrtol", xerr);
1012 if (t < 0 || t > UINT32_MAX) {
1013 fprintf (stderr, _("%s: %s: integer out of range\n"),
1020 /* Read the hex data. */
1023 /* The allocation length is an overestimate, but it doesn't matter. */
1024 values[i].value = malloc (1 + strlen (buf) / 2);
1025 if (!values[i].value) {
1027 exit (EXIT_FAILURE);
1034 for (j = 0; *buf && j < 2; buf++) {
1035 if (c_isxdigit (*buf)) { /* NB: ignore non-hex digits. */
1037 c |= get_xdigit (*buf);
1042 if (j == 2) values[i].value[values[i].len++] = c;
1044 fprintf (stderr, _("hivexsh: setval: trailing garbage after hex string\n"));
1051 _("hivexsh: setval: cannot parse value string, please refer to the man page hivexsh(1) for help: %s\n"),
1057 ret = hivex_node_set_values (h, cwd, nrvals, values, 0);
1060 /* Free values array. */
1061 for (i = 0; i < nrvals; ++i) {
1062 free (values[i].key);
1063 free (values[i].value);
1071 cmd_del (char *args)
1073 if (STRNEQ (args, "")) {
1074 fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
1079 if (cwd == hivex_root (h)) {
1080 fprintf (stderr, _("hivexsh: del: the root node cannot be deleted\n"));
1084 hive_node_h new_cwd = hivex_node_parent (h, cwd);
1086 if (hivex_node_delete_child (h, cwd) == -1) {
1087 perror ("hivexsh: del");
1092 set_prompt_string ();
1097 cmd_add (char *name)
1099 hive_node_h node = hivex_node_add_child (h, cwd, name);
1101 perror ("hivexsh: add");
git.annexia.org / hivex.git / blob