1 /* hivex - Windows Registry "hive" extraction library.
2 * Copyright (C) 2009-2011 Red Hat Inc.
3 * Derived from code by Petter Nordahl-Hagen under a compatible license:
4 * Copyright (c) 1997-2007 Petter Nordahl-Hagen.
5 * Derived from code by Markus Stephany under a compatible license:
6 * Copyright (c) 2000-2004, Markus Stephany.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation;
11 * version 2.1 of the License.
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * See file LICENSE for the full license.
38 #include "full-read.h"
39 #include "full-write.h"
41 #define STREQ(a,b) (strcmp((a),(b)) == 0)
42 #define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
43 //#define STRNEQ(a,b) (strcmp((a),(b)) != 0)
44 //#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
45 #define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
46 //#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
47 //#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
48 //#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
49 #define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
52 #include "byte_conversions.h"
54 /* These limits are in place to stop really stupid stuff and/or exploits. */
55 #define HIVEX_MAX_SUBKEYS 15000
56 #define HIVEX_MAX_VALUES 10000
57 #define HIVEX_MAX_VALUE_LEN 1000000
58 #define HIVEX_MAX_ALLOCATION 1000000
60 static char *windows_utf16_to_utf8 (/* const */ char *input, size_t len);
61 static size_t utf16_string_len_in_bytes_max (const char *str, size_t len);
70 /* Registry file, memory mapped if read-only, or malloc'd if writing. */
73 struct ntreg_header *hdr;
76 /* Use a bitmap to store which file offsets are valid (point to a
77 * used block). We only need to store 1 bit per 32 bits of the file
78 * (because blocks are 4-byte aligned). We found that the average
79 * block size in a registry file is ~50 bytes. So roughly 1 in 12
80 * bits in the bitmap will be set, making it likely a more efficient
81 * structure than a hash table.
84 #define BITMAP_SET(bitmap,off) (bitmap[(off)>>5] |= 1 << (((off)>>2)&7))
85 #define BITMAP_CLR(bitmap,off) (bitmap[(off)>>5] &= ~ (1 << (((off)>>2)&7)))
86 #define BITMAP_TST(bitmap,off) (bitmap[(off)>>5] & (1 << (((off)>>2)&7)))
87 #define IS_VALID_BLOCK(h,off) \
88 (((off) & 3) == 0 && \
90 (off) < (h)->size && \
91 BITMAP_TST((h)->bitmap,(off)))
93 /* Fields from the header, extracted from little-endianness hell. */
94 size_t rootoffs; /* Root key offset (always an nk-block). */
95 size_t endpages; /* Offset of end of pages. */
96 int64_t last_modified; /* mtime of base block. */
99 size_t endblocks; /* Offset to next block allocation (0
100 if not allocated anything yet). */
103 /* NB. All fields are little endian. */
104 struct ntreg_header {
105 char magic[4]; /* "regf" */
108 int64_t last_modified;
109 uint32_t major_ver; /* 1 */
110 uint32_t minor_ver; /* 3 */
111 uint32_t unknown5; /* 0 */
112 uint32_t unknown6; /* 1 */
113 uint32_t offset; /* offset of root key record - 4KB */
114 uint32_t blocks; /* pointer AFTER last hbin in file - 4KB */
115 uint32_t unknown7; /* 1 */
117 char name[64]; /* original file name of hive */
118 char unknown_guid1[16];
119 char unknown_guid2[16];
122 char unknown_guid3[16];
127 uint32_t csum; /* checksum: xor of dwords 0-0x1fb. */
129 char unknown11[3528];
131 char unknown_guid4[16];
132 char unknown_guid5[16];
133 char unknown_guid6[16];
137 } __attribute__((__packed__));
139 struct ntreg_hbin_page {
140 char magic[4]; /* "hbin" */
141 uint32_t offset_first; /* offset from 1st block */
142 uint32_t page_size; /* size of this page (multiple of 4KB) */
144 /* Linked list of blocks follows here. */
145 } __attribute__((__packed__));
147 struct ntreg_hbin_block {
148 int32_t seg_len; /* length of this block (-ve for used block) */
149 char id[2]; /* the block type (eg. "nk" for nk record) */
150 /* Block data follows here. */
151 } __attribute__((__packed__));
153 #define BLOCK_ID_EQ(h,offs,eqid) \
154 (STREQLEN (((struct ntreg_hbin_block *)((h)->addr + (offs)))->id, (eqid), 2))
157 block_len (hive_h *h, size_t blkoff, int *used)
159 struct ntreg_hbin_block *block;
160 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
162 int32_t len = le32toh (block->seg_len);
173 struct ntreg_nk_record {
174 int32_t seg_len; /* length (always -ve because used) */
175 char id[2]; /* "nk" */
179 uint32_t parent; /* offset of owner/parent */
180 uint32_t nr_subkeys; /* number of subkeys */
181 uint32_t nr_subkeys_volatile;
182 uint32_t subkey_lf; /* lf record containing list of subkeys */
183 uint32_t subkey_lf_volatile;
184 uint32_t nr_values; /* number of values */
185 uint32_t vallist; /* value-list record */
186 uint32_t sk; /* offset of sk-record */
187 uint32_t classname; /* offset of classname record */
188 uint16_t max_subkey_name_len; /* maximum length of a subkey name in bytes
189 if the subkey was reencoded as UTF-16LE */
192 uint32_t max_vk_name_len; /* maximum length of any vk name in bytes
193 if the name was reencoded as UTF-16LE */
194 uint32_t max_vk_data_len; /* maximum length of any vk data in bytes */
196 uint16_t name_len; /* length of name */
197 uint16_t classname_len; /* length of classname */
198 char name[1]; /* name follows here */
199 } __attribute__((__packed__));
201 struct ntreg_lf_record {
203 char id[2]; /* "lf"|"lh" */
204 uint16_t nr_keys; /* number of keys in this record */
206 uint32_t offset; /* offset of nk-record for this subkey */
207 char hash[4]; /* hash of subkey name */
209 } __attribute__((__packed__));
211 struct ntreg_ri_record {
213 char id[2]; /* "ri" */
214 uint16_t nr_offsets; /* number of pointers to lh records */
215 uint32_t offset[1]; /* list of pointers to lh records */
216 } __attribute__((__packed__));
218 /* This has no ID header. */
219 struct ntreg_value_list {
221 uint32_t offset[1]; /* list of pointers to vk records */
222 } __attribute__((__packed__));
224 struct ntreg_vk_record {
225 int32_t seg_len; /* length (always -ve because used) */
226 char id[2]; /* "vk" */
227 uint16_t name_len; /* length of name */
228 /* length of the data:
229 * If data_len is <= 4, then it's stored inline.
230 * Top bit is set to indicate inline.
233 uint32_t data_offset; /* pointer to the data (or data if inline) */
234 uint32_t data_type; /* type of the data */
235 uint16_t flags; /* bit 0 set => key name ASCII,
236 bit 0 clr => key name UTF-16.
237 Only seen ASCII here in the wild.
238 NB: this is CLEAR for default key. */
240 char name[1]; /* key name follows here */
241 } __attribute__((__packed__));
243 struct ntreg_sk_record {
244 int32_t seg_len; /* length (always -ve because used) */
245 char id[2]; /* "sk" */
247 uint32_t sk_next; /* linked into a circular list */
249 uint32_t refcount; /* reference count */
250 uint32_t sec_len; /* length of security info */
251 char sec_desc[1]; /* security info follows */
252 } __attribute__((__packed__));
255 header_checksum (const hive_h *h)
257 uint32_t *daddr = (uint32_t *) h->addr;
261 for (i = 0; i < 0x1fc / 4; ++i) {
262 sum ^= le32toh (*daddr);
269 #define HIVEX_OPEN_MSGLVL_MASK (HIVEX_OPEN_VERBOSE|HIVEX_OPEN_DEBUG)
272 hivex_open (const char *filename, int flags)
276 assert (sizeof (struct ntreg_header) == 0x1000);
277 assert (offsetof (struct ntreg_header, csum) == 0x1fc);
279 h = calloc (1, sizeof *h);
283 h->msglvl = flags & HIVEX_OPEN_MSGLVL_MASK;
285 const char *debug = getenv ("HIVEX_DEBUG");
286 if (debug && STREQ (debug, "1"))
290 fprintf (stderr, "hivex_open: created handle %p\n", h);
292 h->writable = !!(flags & HIVEX_OPEN_WRITE);
293 h->filename = strdup (filename);
294 if (h->filename == NULL)
298 h->fd = open (filename, O_RDONLY | O_CLOEXEC);
300 h->fd = open (filename, O_RDONLY);
305 fcntl (h->fd, F_SETFD, FD_CLOEXEC);
309 if (fstat (h->fd, &statbuf) == -1)
312 h->size = statbuf.st_size;
315 h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
316 if (h->addr == MAP_FAILED)
320 fprintf (stderr, "hivex_open: mapped file at %p\n", h->addr);
322 h->addr = malloc (h->size);
326 if (full_read (h->fd, h->addr, h->size) < h->size)
329 /* We don't need the file descriptor along this path, since we
330 * have read all the data.
332 if (close (h->fd) == -1)
338 if (h->hdr->magic[0] != 'r' ||
339 h->hdr->magic[1] != 'e' ||
340 h->hdr->magic[2] != 'g' ||
341 h->hdr->magic[3] != 'f') {
342 fprintf (stderr, "hivex: %s: not a Windows NT Registry hive file\n",
348 /* Check major version. */
349 uint32_t major_ver = le32toh (h->hdr->major_ver);
350 if (major_ver != 1) {
352 "hivex: %s: hive file major version %" PRIu32 " (expected 1)\n",
353 filename, major_ver);
358 h->bitmap = calloc (1 + h->size / 32, 1);
359 if (h->bitmap == NULL)
362 /* Header checksum. */
363 uint32_t sum = header_checksum (h);
364 if (sum != le32toh (h->hdr->csum)) {
365 fprintf (stderr, "hivex: %s: bad checksum in hive header\n", filename);
370 /* Last modified time. */
371 h->last_modified = le64toh ((int64_t) h->hdr->last_modified);
373 if (h->msglvl >= 2) {
374 char *name = windows_utf16_to_utf8 (h->hdr->name, 64);
377 "hivex_open: header fields:\n"
378 " file version %" PRIu32 ".%" PRIu32 "\n"
379 " sequence nos %" PRIu32 " %" PRIu32 "\n"
380 " (sequences nos should match if hive was synched at shutdown)\n"
381 " last modified %" PRIu64 "\n"
382 " (Windows filetime, x 100 ns since 1601-01-01)\n"
383 " original file name %s\n"
384 " (only 32 chars are stored, name is probably truncated)\n"
385 " root offset 0x%x + 0x1000\n"
386 " end of last page 0x%x + 0x1000 (total file size 0x%zx)\n"
387 " checksum 0x%x (calculated 0x%x)\n",
388 major_ver, le32toh (h->hdr->minor_ver),
389 le32toh (h->hdr->sequence1), le32toh (h->hdr->sequence2),
391 name ? name : "(conversion failed)",
392 le32toh (h->hdr->offset),
393 le32toh (h->hdr->blocks), h->size,
394 le32toh (h->hdr->csum), sum);
398 h->rootoffs = le32toh (h->hdr->offset) + 0x1000;
399 h->endpages = le32toh (h->hdr->blocks) + 0x1000;
402 fprintf (stderr, "hivex_open: root offset = 0x%zx\n", h->rootoffs);
404 /* We'll set this flag when we see a block with the root offset (ie.
407 int seen_root_block = 0, bad_root_block = 0;
409 /* Collect some stats. */
410 size_t pages = 0; /* Number of hbin pages read. */
411 size_t smallest_page = SIZE_MAX, largest_page = 0;
412 size_t blocks = 0; /* Total number of blocks found. */
413 size_t smallest_block = SIZE_MAX, largest_block = 0, blocks_bytes = 0;
414 size_t used_blocks = 0; /* Total number of used blocks found. */
415 size_t used_size = 0; /* Total size (bytes) of used blocks. */
417 /* Read the pages and blocks. The aim here is to be robust against
418 * corrupt or malicious registries. So we make sure the loops
419 * always make forward progress. We add the address of each block
420 * we read to a hash table so pointers will only reference the start
424 struct ntreg_hbin_page *page;
425 for (off = 0x1000; off < h->size; off += le32toh (page->page_size)) {
426 if (off >= h->endpages)
429 page = (struct ntreg_hbin_page *) (h->addr + off);
430 if (page->magic[0] != 'h' ||
431 page->magic[1] != 'b' ||
432 page->magic[2] != 'i' ||
433 page->magic[3] != 'n') {
434 fprintf (stderr, "hivex: %s: trailing garbage at end of file "
435 "(at 0x%zx, after %zu pages)\n",
436 filename, off, pages);
441 size_t page_size = le32toh (page->page_size);
443 fprintf (stderr, "hivex_open: page at 0x%zx, size %zu\n", off, page_size);
445 if (page_size < smallest_page) smallest_page = page_size;
446 if (page_size > largest_page) largest_page = page_size;
448 if (page_size <= sizeof (struct ntreg_hbin_page) ||
449 (page_size & 0x0fff) != 0) {
450 fprintf (stderr, "hivex: %s: page size %zu at 0x%zx, bad registry\n",
451 filename, page_size, off);
456 /* Read the blocks in this page. */
458 struct ntreg_hbin_block *block;
460 for (blkoff = off + 0x20;
461 blkoff < off + page_size;
465 int is_root = blkoff == h->rootoffs;
469 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
471 seg_len = block_len (h, blkoff, &used);
472 if (seg_len <= 4 || (seg_len & 3) != 0) {
473 fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx,"
475 filename, le32toh (block->seg_len), blkoff);
481 fprintf (stderr, "hivex_open: %s block id %d,%d at 0x%zx size %zu%s\n",
482 used ? "used" : "free", block->id[0], block->id[1], blkoff,
483 seg_len, is_root ? " (root)" : "");
485 blocks_bytes += seg_len;
486 if (seg_len < smallest_block) smallest_block = seg_len;
487 if (seg_len > largest_block) largest_block = seg_len;
489 if (is_root && !used)
494 used_size += seg_len;
496 /* Root block must be an nk-block. */
497 if (is_root && (block->id[0] != 'n' || block->id[1] != 'k'))
500 /* Note this blkoff is a valid address. */
501 BITMAP_SET (h->bitmap, blkoff);
506 if (!seen_root_block) {
507 fprintf (stderr, "hivex: %s: no root block found\n", filename);
512 if (bad_root_block) {
513 fprintf (stderr, "hivex: %s: bad root block (free or not nk)\n", filename);
520 "hivex_open: successfully read Windows Registry hive file:\n"
521 " pages: %zu [sml: %zu, lge: %zu]\n"
522 " blocks: %zu [sml: %zu, avg: %zu, lge: %zu]\n"
523 " blocks used: %zu\n"
524 " bytes used: %zu\n",
525 pages, smallest_page, largest_page,
526 blocks, smallest_block, blocks_bytes / blocks, largest_block,
527 used_blocks, used_size);
535 if (h->addr && h->size && h->addr != MAP_FAILED) {
537 munmap (h->addr, h->size);
551 hivex_close (hive_h *h)
556 fprintf (stderr, "hivex_close\n");
560 munmap (h->addr, h->size);
573 /*----------------------------------------------------------------------
578 hivex_root (hive_h *h)
580 hive_node_h ret = h->rootoffs;
581 if (!IS_VALID_BLOCK (h, ret)) {
582 errno = HIVEX_NO_KEY;
589 hivex_node_struct_length (hive_h *h, hive_node_h node)
591 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
596 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
597 size_t name_len = le16toh (nk->name_len);
598 /* -1 to avoid double-counting the first name character */
599 size_t ret = name_len + sizeof (struct ntreg_nk_record) - 1;
601 size_t seg_len = block_len (h, node, &used);
604 fprintf (stderr, "hivex_node_struct_length: returning EFAULT because"
605 " node name is too long (%zu, %zu)\n", name_len, seg_len);
613 hivex_node_name (hive_h *h, hive_node_h node)
615 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
620 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
622 /* AFAIK the node name is always plain ASCII, so no conversion
623 * to UTF-8 is necessary. However we do need to nul-terminate
627 /* nk->name_len is unsigned, 16 bit, so this is safe ... However
628 * we have to make sure the length doesn't exceed the block length.
630 size_t len = le16toh (nk->name_len);
631 size_t seg_len = block_len (h, node, NULL);
632 if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) {
634 fprintf (stderr, "hivex_node_name: returning EFAULT because node name"
635 " is too long (%zu, %zu)\n",
641 char *ret = malloc (len + 1);
644 memcpy (ret, nk->name, len);
650 timestamp_check (hive_h *h, hive_node_h node, int64_t timestamp)
654 fprintf (stderr, "hivex: timestamp_check: "
655 "negative time reported at %zu: %" PRIi64 "\n",
665 hivex_last_modified (hive_h *h)
667 return timestamp_check (h, 0, h->last_modified);
671 hivex_node_timestamp (hive_h *h, hive_node_h node)
675 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
680 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
682 ret = le64toh (nk->timestamp);
683 return timestamp_check (h, node, ret);
687 /* I think the documentation for the sk and classname fields in the nk
688 * record is wrong, or else the offset field is in the wrong place.
689 * Otherwise this makes no sense. Disabled this for now -- it's not
690 * useful for reading the registry anyway.
694 hivex_node_security (hive_h *h, hive_node_h node)
696 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
701 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
703 hive_node_h ret = le32toh (nk->sk);
705 if (!IS_VALID_BLOCK (h, ret)) {
713 hivex_node_classname (hive_h *h, hive_node_h node)
715 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
720 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
722 hive_node_h ret = le32toh (nk->classname);
724 if (!IS_VALID_BLOCK (h, ret)) {
732 /* Structure for returning 0-terminated lists of offsets (nodes,
742 init_offset_list (struct offset_list *list)
746 list->offsets = NULL;
749 #define INIT_OFFSET_LIST(name) \
750 struct offset_list name; \
751 init_offset_list (&name)
753 /* Preallocates the offset_list, but doesn't make the contents longer. */
755 grow_offset_list (struct offset_list *list, size_t alloc)
757 assert (alloc >= list->len);
758 size_t *p = realloc (list->offsets, alloc * sizeof (size_t));
767 add_to_offset_list (struct offset_list *list, size_t offset)
769 if (list->len >= list->alloc) {
770 if (grow_offset_list (list, list->alloc ? list->alloc * 2 : 4) == -1)
773 list->offsets[list->len] = offset;
779 free_offset_list (struct offset_list *list)
781 free (list->offsets);
785 return_offset_list (struct offset_list *list)
787 if (add_to_offset_list (list, 0) == -1)
789 return list->offsets; /* caller frees */
792 /* Iterate over children, returning child nodes and intermediate blocks. */
793 #define GET_CHILDREN_NO_CHECK_NK 1
796 get_children (hive_h *h, hive_node_h node,
797 hive_node_h **children_ret, size_t **blocks_ret,
800 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
805 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
807 size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
809 INIT_OFFSET_LIST (children);
810 INIT_OFFSET_LIST (blocks);
812 /* Deal with the common "no subkeys" case quickly. */
813 if (nr_subkeys_in_nk == 0)
816 /* Arbitrarily limit the number of subkeys we will ever deal with. */
817 if (nr_subkeys_in_nk > HIVEX_MAX_SUBKEYS) {
819 fprintf (stderr, "hivex: get_children: returning ERANGE because "
820 "nr_subkeys_in_nk > HIVEX_MAX_SUBKEYS (%zu > %d)\n",
821 nr_subkeys_in_nk, HIVEX_MAX_SUBKEYS);
826 /* Preallocate space for the children. */
827 if (grow_offset_list (&children, nr_subkeys_in_nk) == -1)
830 /* The subkey_lf field can point either to an lf-record, which is
831 * the common case, or if there are lots of subkeys, to an
834 size_t subkey_lf = le32toh (nk->subkey_lf);
836 if (!IS_VALID_BLOCK (h, subkey_lf)) {
838 fprintf (stderr, "hivex_node_children: returning EFAULT"
839 " because subkey_lf is not a valid block (0x%zx)\n",
845 if (add_to_offset_list (&blocks, subkey_lf) == -1)
848 struct ntreg_hbin_block *block =
849 (struct ntreg_hbin_block *) (h->addr + subkey_lf);
851 /* Points to lf-record? (Note, also "lh" but that is basically the
852 * same as "lf" as far as we are concerned here).
854 if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
855 struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
857 /* Check number of subkeys in the nk-record matches number of subkeys
860 size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
863 fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu,"
864 " nr_subkeys_in_lf = %zu\n",
865 nr_subkeys_in_nk, nr_subkeys_in_lf);
867 if (nr_subkeys_in_nk != nr_subkeys_in_lf) {
872 size_t len = block_len (h, subkey_lf, NULL);
873 if (8 + nr_subkeys_in_lf * 8 > len) {
875 fprintf (stderr, "hivex_node_children: returning EFAULT"
876 " because too many subkeys (%zu, %zu)\n",
877 nr_subkeys_in_lf, len);
883 for (i = 0; i < nr_subkeys_in_lf; ++i) {
884 hive_node_h subkey = le32toh (lf->keys[i].offset);
886 if (!(flags & GET_CHILDREN_NO_CHECK_NK)) {
887 if (!IS_VALID_BLOCK (h, subkey)) {
889 fprintf (stderr, "hivex_node_children: returning EFAULT"
890 " because subkey is not a valid block (0x%zx)\n",
896 if (add_to_offset_list (&children, subkey) == -1)
901 /* Points to ri-record? */
902 else if (block->id[0] == 'r' && block->id[1] == 'i') {
903 struct ntreg_ri_record *ri = (struct ntreg_ri_record *) block;
905 size_t nr_offsets = le16toh (ri->nr_offsets);
907 /* Count total number of children. */
909 for (i = 0; i < nr_offsets; ++i) {
910 hive_node_h offset = le32toh (ri->offset[i]);
912 if (!IS_VALID_BLOCK (h, offset)) {
914 fprintf (stderr, "hivex_node_children: returning EFAULT"
915 " because ri-offset is not a valid block (0x%zx)\n",
920 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
922 fprintf (stderr, "get_children: returning ENOTSUP"
923 " because ri-record offset does not point to lf/lh (0x%zx)\n",
929 if (add_to_offset_list (&blocks, offset) == -1)
932 struct ntreg_lf_record *lf =
933 (struct ntreg_lf_record *) (h->addr + offset);
935 count += le16toh (lf->nr_keys);
939 fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu,"
941 nr_subkeys_in_nk, count);
943 if (nr_subkeys_in_nk != count) {
948 /* Copy list of children. Note nr_subkeys_in_nk is limited to
949 * something reasonable above.
951 for (i = 0; i < nr_offsets; ++i) {
952 hive_node_h offset = le32toh (ri->offset[i]);
954 if (!IS_VALID_BLOCK (h, offset)) {
956 fprintf (stderr, "hivex_node_children: returning EFAULT"
957 " because ri-offset is not a valid block (0x%zx)\n",
962 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
964 fprintf (stderr, "get_children: returning ENOTSUP"
965 " because ri-record offset does not point to lf/lh (0x%zx)\n",
971 struct ntreg_lf_record *lf =
972 (struct ntreg_lf_record *) (h->addr + offset);
975 for (j = 0; j < le16toh (lf->nr_keys); ++j) {
976 hive_node_h subkey = le32toh (lf->keys[j].offset);
978 if (!(flags & GET_CHILDREN_NO_CHECK_NK)) {
979 if (!IS_VALID_BLOCK (h, subkey)) {
981 fprintf (stderr, "hivex_node_children: returning EFAULT"
982 " because indirect subkey is not a valid block (0x%zx)\n",
988 if (add_to_offset_list (&children, subkey) == -1)
994 /* else not supported, set errno and fall through */
996 fprintf (stderr, "get_children: returning ENOTSUP"
997 " because subkey block is not lf/lh/ri (0x%zx, %d, %d)\n",
998 subkey_lf, block->id[0], block->id[1]);
1001 free_offset_list (&children);
1002 free_offset_list (&blocks);
1006 *children_ret = return_offset_list (&children);
1007 *blocks_ret = return_offset_list (&blocks);
1008 if (!*children_ret || !*blocks_ret)
1014 hivex_node_children (hive_h *h, hive_node_h node)
1016 hive_node_h *children;
1019 if (get_children (h, node, &children, &blocks, 0) == -1)
1026 /* Very inefficient, but at least having a separate API call
1027 * allows us to make it more efficient in future.
1030 hivex_node_get_child (hive_h *h, hive_node_h node, const char *nname)
1032 hive_node_h *children = NULL;
1034 hive_node_h ret = 0;
1036 children = hivex_node_children (h, node);
1037 if (!children) goto error;
1040 for (i = 0; children[i] != 0; ++i) {
1041 name = hivex_node_name (h, children[i]);
1042 if (!name) goto error;
1043 if (STRCASEEQ (name, nname)) {
1047 free (name); name = NULL;
1057 hivex_node_parent (hive_h *h, hive_node_h node)
1059 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
1064 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
1066 hive_node_h ret = le32toh (nk->parent);
1068 if (!IS_VALID_BLOCK (h, ret)) {
1070 fprintf (stderr, "hivex_node_parent: returning EFAULT"
1071 " because parent is not a valid block (0x%zx)\n",
1080 get_values (hive_h *h, hive_node_h node,
1081 hive_value_h **values_ret, size_t **blocks_ret)
1083 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
1088 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
1090 size_t nr_values = le32toh (nk->nr_values);
1093 fprintf (stderr, "hivex_node_values: nr_values = %zu\n", nr_values);
1095 INIT_OFFSET_LIST (values);
1096 INIT_OFFSET_LIST (blocks);
1098 /* Deal with the common "no values" case quickly. */
1102 /* Arbitrarily limit the number of values we will ever deal with. */
1103 if (nr_values > HIVEX_MAX_VALUES) {
1105 fprintf (stderr, "hivex: get_values: returning ERANGE"
1106 " because nr_values > HIVEX_MAX_VALUES (%zu > %d)\n",
1107 nr_values, HIVEX_MAX_VALUES);
1112 /* Preallocate space for the values. */
1113 if (grow_offset_list (&values, nr_values) == -1)
1116 /* Get the value list and check it looks reasonable. */
1117 size_t vlist_offset = le32toh (nk->vallist);
1118 vlist_offset += 0x1000;
1119 if (!IS_VALID_BLOCK (h, vlist_offset)) {
1121 fprintf (stderr, "hivex_node_values: returning EFAULT"
1122 " because value list is not a valid block (0x%zx)\n",
1128 if (add_to_offset_list (&blocks, vlist_offset) == -1)
1131 struct ntreg_value_list *vlist =
1132 (struct ntreg_value_list *) (h->addr + vlist_offset);
1134 size_t len = block_len (h, vlist_offset, NULL);
1135 if (4 + nr_values * 4 > len) {
1137 fprintf (stderr, "hivex_node_values: returning EFAULT"
1138 " because value list is too long (%zu, %zu)\n",
1145 for (i = 0; i < nr_values; ++i) {
1146 hive_node_h value = le32toh (vlist->offset[i]);
1148 if (!IS_VALID_BLOCK (h, value)) {
1150 fprintf (stderr, "hivex_node_values: returning EFAULT"
1151 " because value is not a valid block (0x%zx)\n",
1156 if (add_to_offset_list (&values, value) == -1)
1161 *values_ret = return_offset_list (&values);
1162 *blocks_ret = return_offset_list (&blocks);
1163 if (!*values_ret || !*blocks_ret)
1168 free_offset_list (&values);
1169 free_offset_list (&blocks);
1174 hivex_node_values (hive_h *h, hive_node_h node)
1176 hive_value_h *values;
1179 if (get_values (h, node, &values, &blocks) == -1)
1186 /* Very inefficient, but at least having a separate API call
1187 * allows us to make it more efficient in future.
1190 hivex_node_get_value (hive_h *h, hive_node_h node, const char *key)
1192 hive_value_h *values = NULL;
1194 hive_value_h ret = 0;
1196 values = hivex_node_values (h, node);
1197 if (!values) goto error;
1200 for (i = 0; values[i] != 0; ++i) {
1201 name = hivex_value_key (h, values[i]);
1202 if (!name) goto error;
1203 if (STRCASEEQ (name, key)) {
1207 free (name); name = NULL;
1217 hivex_value_struct_length (hive_h *h, hive_value_h value)
1222 key_len = hivex_value_key_len (h, value);
1223 if (key_len == 0 && errno != 0)
1226 /* -1 to avoid double-counting the first name character */
1227 return key_len + sizeof (struct ntreg_vk_record) - 1;
1231 hivex_value_key_len (hive_h *h, hive_value_h value)
1233 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1238 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1240 /* vk->name_len is unsigned, 16 bit, so this is safe ... However
1241 * we have to make sure the length doesn't exceed the block length.
1243 size_t ret = le16toh (vk->name_len);
1244 size_t seg_len = block_len (h, value, NULL);
1245 if (sizeof (struct ntreg_vk_record) + ret - 1 > seg_len) {
1247 fprintf (stderr, "hivex_value_key_len: returning EFAULT"
1248 " because key length is too long (%zu, %zu)\n",
1257 hivex_value_key (hive_h *h, hive_value_h value)
1259 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1264 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1266 /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is
1267 * necessary. However we do need to nul-terminate the string.
1270 size_t len = hivex_value_key_len (h, value);
1271 if (len == 0 && errno != 0)
1274 char *ret = malloc (len + 1);
1277 memcpy (ret, vk->name, len);
1283 hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len)
1285 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1290 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1293 *t = le32toh (vk->data_type);
1296 *len = le32toh (vk->data_len);
1297 *len &= 0x7fffffff; /* top bit indicates if data is stored inline */
1304 hivex_value_value (hive_h *h, hive_value_h value,
1305 hive_type *t_rtn, size_t *len_rtn)
1307 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1312 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1318 t = le32toh (vk->data_type);
1320 len = le32toh (vk->data_len);
1321 is_inline = !!(len & 0x80000000);
1325 fprintf (stderr, "hivex_value_value: value=0x%zx, t=%d, len=%zu, inline=%d\n",
1326 value, t, len, is_inline);
1333 if (is_inline && len > 4) {
1338 /* Arbitrarily limit the length that we will read. */
1339 if (len > HIVEX_MAX_VALUE_LEN) {
1341 fprintf (stderr, "hivex_value_value: returning ERANGE because data "
1342 "length > HIVEX_MAX_VALUE_LEN (%zu > %d)\n",
1343 len, HIVEX_MAX_SUBKEYS);
1348 char *ret = malloc (len);
1353 memcpy (ret, (char *) &vk->data_offset, len);
1357 size_t data_offset = le32toh (vk->data_offset);
1358 data_offset += 0x1000;
1359 if (!IS_VALID_BLOCK (h, data_offset)) {
1361 fprintf (stderr, "hivex_value_value: returning EFAULT because data "
1362 "offset is not a valid block (0x%zx)\n",
1369 /* Check that the declared size isn't larger than the block its in.
1371 * XXX Some apparently valid registries are seen to have this,
1372 * so turn this into a warning and substitute the smaller length
1375 size_t blen = block_len (h, data_offset, NULL);
1376 if (len > blen - 4 /* subtract 4 for block header */) {
1378 fprintf (stderr, "hivex_value_value: warning: declared data length "
1379 "is longer than the block it is in "
1380 "(data 0x%zx, data len %zu, block len %zu)\n",
1381 data_offset, len, blen);
1384 /* Return the smaller length to the caller too. */
1389 char *data = h->addr + data_offset + 4;
1390 memcpy (ret, data, len);
1395 windows_utf16_to_utf8 (/* const */ char *input, size_t len)
1397 iconv_t ic = iconv_open ("UTF-8", "UTF-16");
1398 if (ic == (iconv_t) -1)
1401 /* iconv(3) has an insane interface ... */
1403 /* Mostly UTF-8 will be smaller, so this is a good initial guess. */
1404 size_t outalloc = len;
1408 size_t outlen = outalloc;
1409 char *out = malloc (outlen + 1);
1419 size_t r = iconv (ic, &inp, &inlen, &outp, &outlen);
1420 if (r == (size_t) -1) {
1421 if (errno == E2BIG) {
1423 size_t prev = outalloc;
1424 /* Try again with a larger output buffer. */
1427 if (outalloc < prev) {
1435 /* Else some conversion failure, eg. EILSEQ, EINVAL. */
1451 hivex_value_string (hive_h *h, hive_value_h value)
1455 char *data = hivex_value_value (h, value, &t, &len);
1460 if (t != hive_t_string && t != hive_t_expand_string && t != hive_t_link) {
1466 /* Deal with the case where Windows has allocated a large buffer
1467 * full of random junk, and only the first few bytes of the buffer
1468 * contain a genuine UTF-16 string.
1470 * In this case, iconv would try to process the junk bytes as UTF-16
1471 * and inevitably find an illegal sequence (EILSEQ). Instead, stop
1472 * after we find the first \0\0.
1474 * (Found by Hilko Bengen in a fresh Windows XP SOFTWARE hive).
1476 size_t slen = utf16_string_len_in_bytes_max (data, len);
1480 char *ret = windows_utf16_to_utf8 (data, len);
1489 free_strings (char **argv)
1494 for (i = 0; argv[i] != NULL; ++i)
1500 /* Get the length of a UTF-16 format string. Handle the string as
1501 * pairs of bytes, looking for the first \0\0 pair. Only read up to
1502 * 'len' maximum bytes.
1505 utf16_string_len_in_bytes_max (const char *str, size_t len)
1509 while (len >= 2 && (str[0] || str[1])) {
1518 /* http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
1520 hivex_value_multiple_strings (hive_h *h, hive_value_h value)
1524 char *data = hivex_value_value (h, value, &t, &len);
1529 if (t != hive_t_multiple_strings) {
1535 size_t nr_strings = 0;
1536 char **ret = malloc ((1 + nr_strings) * sizeof (char *));
1546 while (p < data + len &&
1547 (plen = utf16_string_len_in_bytes_max (p, data + len - p)) > 0) {
1549 char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
1557 ret[nr_strings-1] = windows_utf16_to_utf8 (p, plen);
1558 ret[nr_strings] = NULL;
1559 if (ret[nr_strings-1] == NULL) {
1565 p += plen + 2 /* skip over UTF-16 \0\0 at the end of this string */;
1573 hivex_value_dword (hive_h *h, hive_value_h value)
1577 char *data = hivex_value_value (h, value, &t, &len);
1582 if ((t != hive_t_dword && t != hive_t_dword_be) || len != 4) {
1588 int32_t ret = *(int32_t*)data;
1590 if (t == hive_t_dword) /* little endian */
1591 ret = le32toh (ret);
1593 ret = be32toh (ret);
1599 hivex_value_qword (hive_h *h, hive_value_h value)
1603 char *data = hivex_value_value (h, value, &t, &len);
1608 if (t != hive_t_qword || len != 8) {
1614 int64_t ret = *(int64_t*)data;
1616 ret = le64toh (ret); /* always little endian */
1621 /*----------------------------------------------------------------------
1626 hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len,
1627 void *opaque, int flags)
1629 return hivex_visit_node (h, hivex_root (h), visitor, len, opaque, flags);
1632 static int hivex__visit_node (hive_h *h, hive_node_h node,
1633 const struct hivex_visitor *vtor,
1634 char *unvisited, void *opaque, int flags);
1637 hivex_visit_node (hive_h *h, hive_node_h node,
1638 const struct hivex_visitor *visitor, size_t len, void *opaque,
1641 struct hivex_visitor vtor;
1642 memset (&vtor, 0, sizeof vtor);
1644 /* Note that len might be larger *or smaller* than the expected size. */
1645 size_t copysize = len <= sizeof vtor ? len : sizeof vtor;
1646 memcpy (&vtor, visitor, copysize);
1648 /* This bitmap records unvisited nodes, so we don't loop if the
1649 * registry contains cycles.
1651 char *unvisited = malloc (1 + h->size / 32);
1652 if (unvisited == NULL)
1654 memcpy (unvisited, h->bitmap, 1 + h->size / 32);
1656 int r = hivex__visit_node (h, node, &vtor, unvisited, opaque, flags);
1662 hivex__visit_node (hive_h *h, hive_node_h node,
1663 const struct hivex_visitor *vtor, char *unvisited,
1664 void *opaque, int flags)
1666 int skip_bad = flags & HIVEX_VISIT_SKIP_BAD;
1668 hive_value_h *values = NULL;
1669 hive_node_h *children = NULL;
1675 /* Return -1 on all callback errors. However on internal errors,
1676 * check if skip_bad is set and suppress those errors if so.
1680 if (!BITMAP_TST (unvisited, node)) {
1682 fprintf (stderr, "hivex__visit_node: contains cycle:"
1683 " visited node 0x%zx already\n",
1687 return skip_bad ? 0 : -1;
1689 BITMAP_CLR (unvisited, node);
1691 name = hivex_node_name (h, node);
1692 if (!name) return skip_bad ? 0 : -1;
1693 if (vtor->node_start && vtor->node_start (h, opaque, node, name) == -1)
1696 values = hivex_node_values (h, node);
1698 ret = skip_bad ? 0 : -1;
1702 for (i = 0; values[i] != 0; ++i) {
1706 if (hivex_value_type (h, values[i], &t, &len) == -1) {
1707 ret = skip_bad ? 0 : -1;
1711 key = hivex_value_key (h, values[i]);
1713 ret = skip_bad ? 0 : -1;
1717 if (vtor->value_any) {
1718 str = hivex_value_value (h, values[i], &t, &len);
1720 ret = skip_bad ? 0 : -1;
1723 if (vtor->value_any (h, opaque, node, values[i], t, len, key, str) == -1)
1725 free (str); str = NULL;
1730 str = hivex_value_value (h, values[i], &t, &len);
1732 ret = skip_bad ? 0 : -1;
1735 if (t != hive_t_none) {
1736 ret = skip_bad ? 0 : -1;
1739 if (vtor->value_none &&
1740 vtor->value_none (h, opaque, node, values[i], t, len, key, str) == -1)
1742 free (str); str = NULL;
1746 case hive_t_expand_string:
1748 str = hivex_value_string (h, values[i]);
1750 if (errno != EILSEQ && errno != EINVAL) {
1751 ret = skip_bad ? 0 : -1;
1754 if (vtor->value_string_invalid_utf16) {
1755 str = hivex_value_value (h, values[i], &t, &len);
1756 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i],
1757 t, len, key, str) == -1)
1759 free (str); str = NULL;
1763 if (vtor->value_string &&
1764 vtor->value_string (h, opaque, node, values[i],
1765 t, len, key, str) == -1)
1767 free (str); str = NULL;
1771 case hive_t_dword_be: {
1772 int32_t i32 = hivex_value_dword (h, values[i]);
1773 if (vtor->value_dword &&
1774 vtor->value_dword (h, opaque, node, values[i],
1775 t, len, key, i32) == -1)
1780 case hive_t_qword: {
1781 int64_t i64 = hivex_value_qword (h, values[i]);
1782 if (vtor->value_qword &&
1783 vtor->value_qword (h, opaque, node, values[i],
1784 t, len, key, i64) == -1)
1790 str = hivex_value_value (h, values[i], &t, &len);
1792 ret = skip_bad ? 0 : -1;
1795 if (t != hive_t_binary) {
1796 ret = skip_bad ? 0 : -1;
1799 if (vtor->value_binary &&
1800 vtor->value_binary (h, opaque, node, values[i],
1801 t, len, key, str) == -1)
1803 free (str); str = NULL;
1806 case hive_t_multiple_strings:
1807 strs = hivex_value_multiple_strings (h, values[i]);
1809 if (errno != EILSEQ && errno != EINVAL) {
1810 ret = skip_bad ? 0 : -1;
1813 if (vtor->value_string_invalid_utf16) {
1814 str = hivex_value_value (h, values[i], &t, &len);
1815 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i],
1816 t, len, key, str) == -1)
1818 free (str); str = NULL;
1822 if (vtor->value_multiple_strings &&
1823 vtor->value_multiple_strings (h, opaque, node, values[i],
1824 t, len, key, strs) == -1)
1826 free_strings (strs); strs = NULL;
1829 case hive_t_resource_list:
1830 case hive_t_full_resource_description:
1831 case hive_t_resource_requirements_list:
1833 str = hivex_value_value (h, values[i], &t, &len);
1835 ret = skip_bad ? 0 : -1;
1838 if (vtor->value_other &&
1839 vtor->value_other (h, opaque, node, values[i],
1840 t, len, key, str) == -1)
1842 free (str); str = NULL;
1847 free (key); key = NULL;
1850 children = hivex_node_children (h, node);
1851 if (children == NULL) {
1852 ret = skip_bad ? 0 : -1;
1856 for (i = 0; children[i] != 0; ++i) {
1858 fprintf (stderr, "hivex__visit_node: %s: visiting subkey %d (0x%zx)\n",
1859 name, i, children[i]);
1861 if (hivex__visit_node (h, children[i], vtor, unvisited, opaque, flags) == -1)
1865 if (vtor->node_end && vtor->node_end (h, opaque, node, name) == -1)
1876 free_strings (strs);
1880 /*----------------------------------------------------------------------
1884 /* Allocate an hbin (page), extending the malloc'd space if necessary,
1885 * and updating the hive handle fields (but NOT the hive disk header
1886 * -- the hive disk header is updated when we commit). This function
1887 * also extends the bitmap if necessary.
1889 * 'allocation_hint' is the size of the block allocation we would like
1890 * to make. Normally registry blocks are very small (avg 50 bytes)
1891 * and are contained in standard-sized pages (4KB), but the registry
1892 * can support blocks which are larger than a standard page, in which
1893 * case it creates a page of 8KB, 12KB etc.
1896 * > 0 : offset of first usable byte of new page (after page header)
1897 * 0 : error (errno set)
1900 allocate_page (hive_h *h, size_t allocation_hint)
1902 /* In almost all cases this will be 1. */
1903 size_t nr_4k_pages =
1904 1 + (allocation_hint + sizeof (struct ntreg_hbin_page) - 1) / 4096;
1905 assert (nr_4k_pages >= 1);
1907 /* 'extend' is the number of bytes to extend the file by. Note that
1908 * hives found in the wild often contain slack between 'endpages'
1909 * and the actual end of the file, so we don't always need to make
1912 ssize_t extend = h->endpages + nr_4k_pages * 4096 - h->size;
1914 if (h->msglvl >= 2) {
1915 fprintf (stderr, "allocate_page: current endpages = 0x%zx,"
1916 " current size = 0x%zx\n",
1917 h->endpages, h->size);
1918 fprintf (stderr, "allocate_page: extending file by %zd bytes"
1919 " (<= 0 if no extension)\n",
1924 size_t oldsize = h->size;
1925 size_t newsize = h->size + extend;
1926 char *newaddr = realloc (h->addr, newsize);
1927 if (newaddr == NULL)
1930 size_t oldbitmapsize = 1 + oldsize / 32;
1931 size_t newbitmapsize = 1 + newsize / 32;
1932 char *newbitmap = realloc (h->bitmap, newbitmapsize);
1933 if (newbitmap == NULL) {
1940 h->bitmap = newbitmap;
1942 memset (h->addr + oldsize, 0, newsize - oldsize);
1943 memset (h->bitmap + oldbitmapsize, 0, newbitmapsize - oldbitmapsize);
1946 size_t offset = h->endpages;
1947 h->endpages += nr_4k_pages * 4096;
1950 fprintf (stderr, "allocate_page: new endpages = 0x%zx, new size = 0x%zx\n",
1951 h->endpages, h->size);
1953 /* Write the hbin header. */
1954 struct ntreg_hbin_page *page =
1955 (struct ntreg_hbin_page *) (h->addr + offset);
1956 page->magic[0] = 'h';
1957 page->magic[1] = 'b';
1958 page->magic[2] = 'i';
1959 page->magic[3] = 'n';
1960 page->offset_first = htole32 (offset - 0x1000);
1961 page->page_size = htole32 (nr_4k_pages * 4096);
1962 memset (page->unknown, 0, sizeof (page->unknown));
1965 fprintf (stderr, "allocate_page: new page at 0x%zx\n", offset);
1967 /* Offset of first usable byte after the header. */
1968 return offset + sizeof (struct ntreg_hbin_page);
1971 /* Allocate a single block, first allocating an hbin (page) at the end
1972 * of the current file if necessary. NB. To keep the implementation
1973 * simple and more likely to be correct, we do not reuse existing free
1976 * seg_len is the size of the block (this INCLUDES the block header).
1977 * The header of the block is initialized to -seg_len (negative to
1978 * indicate used). id[2] is the block ID (type), eg. "nk" for nk-
1979 * record. The block bitmap is updated to show this block as valid.
1980 * The rest of the contents of the block will be zero.
1982 * **NB** Because allocate_block may reallocate the memory, all
1983 * pointers into the memory become potentially invalid. I really
1984 * love writing in C, can't you tell?
1987 * > 0 : offset of new block
1988 * 0 : error (errno set)
1991 allocate_block (hive_h *h, size_t seg_len, const char id[2])
1999 /* The caller probably forgot to include the header. Note that
2000 * value lists have no ID field, so seg_len == 4 would be possible
2001 * for them, albeit unusual.
2004 fprintf (stderr, "allocate_block: refusing too small allocation (%zu),"
2005 " returning ERANGE\n", seg_len);
2010 /* Refuse really large allocations. */
2011 if (seg_len > HIVEX_MAX_ALLOCATION) {
2013 fprintf (stderr, "allocate_block: refusing large allocation (%zu),"
2014 " returning ERANGE\n", seg_len);
2019 /* Round up allocation to multiple of 8 bytes. All blocks must be
2020 * on an 8 byte boundary.
2022 seg_len = (seg_len + 7) & ~7;
2024 /* Allocate a new page if necessary. */
2025 if (h->endblocks == 0 || h->endblocks + seg_len > h->endpages) {
2026 size_t newendblocks = allocate_page (h, seg_len);
2027 if (newendblocks == 0)
2029 h->endblocks = newendblocks;
2032 size_t offset = h->endblocks;
2035 fprintf (stderr, "allocate_block: new block at 0x%zx, size %zu\n",
2038 struct ntreg_hbin_block *blockhdr =
2039 (struct ntreg_hbin_block *) (h->addr + offset);
2041 memset (blockhdr, 0, seg_len);
2043 blockhdr->seg_len = htole32 (- (int32_t) seg_len);
2044 if (id[0] && id[1] && seg_len >= sizeof (struct ntreg_hbin_block)) {
2045 blockhdr->id[0] = id[0];
2046 blockhdr->id[1] = id[1];
2049 BITMAP_SET (h->bitmap, offset);
2051 h->endblocks += seg_len;
2053 /* If there is space after the last block in the last page, then we
2054 * have to put a dummy free block header here to mark the rest of
2057 ssize_t rem = h->endpages - h->endblocks;
2060 fprintf (stderr, "allocate_block: marking remainder of page free"
2061 " starting at 0x%zx, size %zd\n", h->endblocks, rem);
2065 blockhdr = (struct ntreg_hbin_block *) (h->addr + h->endblocks);
2066 blockhdr->seg_len = htole32 ((int32_t) rem);
2072 /* 'offset' must point to a valid, used block. This function marks
2073 * the block unused (by updating the seg_len field) and invalidates
2074 * the bitmap. It does NOT do this recursively, so to avoid creating
2075 * unreachable used blocks, callers may have to recurse over the hive
2076 * structures. Also callers must ensure there are no references to
2077 * this block from other parts of the hive.
2080 mark_block_unused (hive_h *h, size_t offset)
2082 assert (h->writable);
2083 assert (IS_VALID_BLOCK (h, offset));
2086 fprintf (stderr, "mark_block_unused: marking 0x%zx unused\n", offset);
2088 struct ntreg_hbin_block *blockhdr =
2089 (struct ntreg_hbin_block *) (h->addr + offset);
2091 size_t seg_len = block_len (h, offset, NULL);
2092 blockhdr->seg_len = htole32 (seg_len);
2094 BITMAP_CLR (h->bitmap, offset);
2097 /* Delete all existing values at this node. */
2099 delete_values (hive_h *h, hive_node_h node)
2101 assert (h->writable);
2103 hive_value_h *values;
2105 if (get_values (h, node, &values, &blocks) == -1)
2109 for (i = 0; blocks[i] != 0; ++i)
2110 mark_block_unused (h, blocks[i]);
2114 for (i = 0; values[i] != 0; ++i) {
2115 struct ntreg_vk_record *vk =
2116 (struct ntreg_vk_record *) (h->addr + values[i]);
2120 len = le32toh (vk->data_len);
2121 is_inline = !!(len & 0x80000000); /* top bit indicates is inline */
2124 if (!is_inline) { /* non-inline, so remove data block */
2125 size_t data_offset = le32toh (vk->data_offset);
2126 data_offset += 0x1000;
2127 mark_block_unused (h, data_offset);
2130 /* remove vk record */
2131 mark_block_unused (h, values[i]);
2136 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
2137 nk->nr_values = htole32 (0);
2138 nk->vallist = htole32 (0xffffffff);
2144 hivex_commit (hive_h *h, const char *filename, int flags)
2156 filename = filename ? : h->filename;
2157 int fd = open (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0666);
2161 /* Update the header fields. */
2162 uint32_t sequence = le32toh (h->hdr->sequence1);
2164 h->hdr->sequence1 = htole32 (sequence);
2165 h->hdr->sequence2 = htole32 (sequence);
2166 /* XXX Ought to update h->hdr->last_modified. */
2167 h->hdr->blocks = htole32 (h->endpages - 0x1000);
2169 /* Recompute header checksum. */
2170 uint32_t sum = header_checksum (h);
2171 h->hdr->csum = htole32 (sum);
2174 fprintf (stderr, "hivex_commit: new header checksum: 0x%x\n", sum);
2176 if (full_write (fd, h->addr, h->size) != h->size) {
2183 if (close (fd) == -1)
2189 /* Calculate the hash for a lf or lh record offset.
2192 calc_hash (const char *type, const char *name, char *ret)
2194 size_t len = strlen (name);
2196 if (STRPREFIX (type, "lf"))
2197 /* Old-style, not used in current registries. */
2198 memcpy (ret, name, len < 4 ? len : 4);
2200 /* New-style for lh-records. */
2203 for (i = 0; i < len; ++i) {
2204 c = c_toupper (name[i]);
2208 *((uint32_t *) ret) = htole32 (h);
2212 /* Create a completely new lh-record containing just the single node. */
2214 new_lh_record (hive_h *h, const char *name, hive_node_h node)
2216 static const char id[2] = { 'l', 'h' };
2217 size_t seg_len = sizeof (struct ntreg_lf_record);
2218 size_t offset = allocate_block (h, seg_len, id);
2222 struct ntreg_lf_record *lh = (struct ntreg_lf_record *) (h->addr + offset);
2223 lh->nr_keys = htole16 (1);
2224 lh->keys[0].offset = htole32 (node - 0x1000);
2225 calc_hash ("lh", name, lh->keys[0].hash);
2230 /* Insert node into existing lf/lh-record at position.
2231 * This allocates a new record and marks the old one as unused.
2234 insert_lf_record (hive_h *h, size_t old_offs, size_t posn,
2235 const char *name, hive_node_h node)
2237 assert (IS_VALID_BLOCK (h, old_offs));
2239 /* Work around C stupidity.
2240 * http://www.redhat.com/archives/libguestfs/2010-February/msg00056.html
2242 int test = BLOCK_ID_EQ (h, old_offs, "lf") || BLOCK_ID_EQ (h, old_offs, "lh");
2245 struct ntreg_lf_record *old_lf =
2246 (struct ntreg_lf_record *) (h->addr + old_offs);
2247 size_t nr_keys = le16toh (old_lf->nr_keys);
2249 nr_keys++; /* in new record ... */
2251 size_t seg_len = sizeof (struct ntreg_lf_record) + (nr_keys-1) * 8;
2253 /* Copy the old_lf->id in case it moves during allocate_block. */
2255 memcpy (id, old_lf->id, sizeof id);
2257 size_t new_offs = allocate_block (h, seg_len, id);
2261 /* old_lf could have been invalidated by allocate_block. */
2262 old_lf = (struct ntreg_lf_record *) (h->addr + old_offs);
2264 struct ntreg_lf_record *new_lf =
2265 (struct ntreg_lf_record *) (h->addr + new_offs);
2266 new_lf->nr_keys = htole16 (nr_keys);
2268 /* Copy the keys until we reach posn, insert the new key there, then
2269 * copy the remaining keys.
2272 for (i = 0; i < posn; ++i)
2273 new_lf->keys[i] = old_lf->keys[i];
2275 new_lf->keys[i].offset = htole32 (node - 0x1000);
2276 calc_hash (new_lf->id, name, new_lf->keys[i].hash);
2278 for (i = posn+1; i < nr_keys; ++i)
2279 new_lf->keys[i] = old_lf->keys[i-1];
2281 /* Old block is unused, return new block. */
2282 mark_block_unused (h, old_offs);
2286 /* Compare name with name in nk-record. */
2288 compare_name_with_nk_name (hive_h *h, const char *name, hive_node_h nk_offs)
2290 assert (IS_VALID_BLOCK (h, nk_offs));
2291 assert (BLOCK_ID_EQ (h, nk_offs, "nk"));
2293 /* Name in nk is not necessarily nul-terminated. */
2294 char *nname = hivex_node_name (h, nk_offs);
2296 /* Unfortunately we don't have a way to return errors here. */
2298 perror ("compare_name_with_nk_name");
2302 int r = strcasecmp (name, nname);
2309 hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name)
2316 if (!IS_VALID_BLOCK (h, parent) || !BLOCK_ID_EQ (h, parent, "nk")) {
2321 if (name == NULL || strlen (name) == 0) {
2326 if (hivex_node_get_child (h, parent, name) != 0) {
2331 /* Create the new nk-record. */
2332 static const char nk_id[2] = { 'n', 'k' };
2333 size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name);
2334 hive_node_h node = allocate_block (h, seg_len, nk_id);
2339 fprintf (stderr, "hivex_node_add_child: allocated new nk-record"
2340 " for child at 0x%zx\n", node);
2342 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
2343 nk->flags = htole16 (0x0020); /* key is ASCII. */
2344 nk->parent = htole32 (parent - 0x1000);
2345 nk->subkey_lf = htole32 (0xffffffff);
2346 nk->subkey_lf_volatile = htole32 (0xffffffff);
2347 nk->vallist = htole32 (0xffffffff);
2348 nk->classname = htole32 (0xffffffff);
2349 nk->name_len = htole16 (strlen (name));
2350 strcpy (nk->name, name);
2352 /* Inherit parent sk. */
2353 struct ntreg_nk_record *parent_nk =
2354 (struct ntreg_nk_record *) (h->addr + parent);
2355 size_t parent_sk_offset = le32toh (parent_nk->sk);
2356 parent_sk_offset += 0x1000;
2357 if (!IS_VALID_BLOCK (h, parent_sk_offset) ||
2358 !BLOCK_ID_EQ (h, parent_sk_offset, "sk")) {
2360 fprintf (stderr, "hivex_node_add_child: returning EFAULT"
2361 " because parent sk is not a valid block (%zu)\n",
2366 struct ntreg_sk_record *sk =
2367 (struct ntreg_sk_record *) (h->addr + parent_sk_offset);
2368 sk->refcount = htole32 (le32toh (sk->refcount) + 1);
2369 nk->sk = htole32 (parent_sk_offset - 0x1000);
2371 /* Inherit parent timestamp. */
2372 nk->timestamp = parent_nk->timestamp;
2374 /* What I found out the hard way (not documented anywhere): the
2375 * subkeys in lh-records must be kept sorted. If you just add a
2376 * subkey in a non-sorted position (eg. just add it at the end) then
2377 * Windows won't see the subkey _and_ Windows will corrupt the hive
2378 * itself when it modifies or saves it.
2380 * So use get_children() to get a list of intermediate
2381 * lf/lh-records. get_children() returns these in reading order
2382 * (which is sorted), so we look for the lf/lh-records in sequence
2383 * until we find the key name just after the one we are inserting,
2384 * and we insert the subkey just before it.
2386 * The only other case is the no-subkeys case, where we have to
2387 * create a brand new lh-record.
2389 hive_node_h *unused;
2392 if (get_children (h, parent, &unused, &blocks, 0) == -1)
2397 size_t nr_subkeys_in_parent_nk = le32toh (parent_nk->nr_subkeys);
2398 if (nr_subkeys_in_parent_nk == 0) { /* No subkeys case. */
2399 /* Free up any existing intermediate blocks. */
2400 for (i = 0; blocks[i] != 0; ++i)
2401 mark_block_unused (h, blocks[i]);
2402 size_t lh_offs = new_lh_record (h, name, node);
2408 /* Recalculate pointers that could have been invalidated by
2409 * previous call to allocate_block (via new_lh_record).
2411 nk = (struct ntreg_nk_record *) (h->addr + node);
2412 parent_nk = (struct ntreg_nk_record *) (h->addr + parent);
2415 fprintf (stderr, "hivex_node_add_child: no keys, allocated new"
2416 " lh-record at 0x%zx\n", lh_offs);
2418 parent_nk->subkey_lf = htole32 (lh_offs - 0x1000);
2420 else { /* Insert subkeys case. */
2421 size_t old_offs = 0, new_offs = 0;
2422 struct ntreg_lf_record *old_lf = NULL;
2424 /* Find lf/lh key name just after the one we are inserting. */
2425 for (i = 0; blocks[i] != 0; ++i) {
2426 if (BLOCK_ID_EQ (h, blocks[i], "lf") ||
2427 BLOCK_ID_EQ (h, blocks[i], "lh")) {
2428 old_offs = blocks[i];
2429 old_lf = (struct ntreg_lf_record *) (h->addr + old_offs);
2430 for (j = 0; j < le16toh (old_lf->nr_keys); ++j) {
2431 hive_node_h nk_offs = le32toh (old_lf->keys[j].offset);
2433 if (compare_name_with_nk_name (h, name, nk_offs) < 0)
2439 /* Insert it at the end.
2440 * old_offs points to the last lf record, set j.
2442 assert (old_offs != 0); /* should never happen if nr_subkeys > 0 */
2443 j = le16toh (old_lf->nr_keys);
2448 fprintf (stderr, "hivex_node_add_child: insert key in existing"
2449 " lh-record at 0x%zx, posn %zu\n", old_offs, j);
2451 new_offs = insert_lf_record (h, old_offs, j, name, node);
2452 if (new_offs == 0) {
2457 /* Recalculate pointers that could have been invalidated by
2458 * previous call to allocate_block (via insert_lf_record).
2460 nk = (struct ntreg_nk_record *) (h->addr + node);
2461 parent_nk = (struct ntreg_nk_record *) (h->addr + parent);
2464 fprintf (stderr, "hivex_node_add_child: new lh-record at 0x%zx\n",
2467 /* If the lf/lh-record was directly referenced by the parent nk,
2468 * then update the parent nk.
2470 if (le32toh (parent_nk->subkey_lf) + 0x1000 == old_offs)
2471 parent_nk->subkey_lf = htole32 (new_offs - 0x1000);
2472 /* Else we have to look for the intermediate ri-record and update
2476 for (i = 0; blocks[i] != 0; ++i) {
2477 if (BLOCK_ID_EQ (h, blocks[i], "ri")) {
2478 struct ntreg_ri_record *ri =
2479 (struct ntreg_ri_record *) (h->addr + blocks[i]);
2480 for (j = 0; j < le16toh (ri->nr_offsets); ++j)
2481 if (le32toh (ri->offset[j] + 0x1000) == old_offs) {
2482 ri->offset[j] = htole32 (new_offs - 0x1000);
2488 /* Not found .. This is an internal error. */
2490 fprintf (stderr, "hivex_node_add_child: returning ENOTSUP"
2491 " because could not find ri->lf link\n");
2503 /* Update nr_subkeys in parent nk. */
2504 nr_subkeys_in_parent_nk++;
2505 parent_nk->nr_subkeys = htole32 (nr_subkeys_in_parent_nk);
2507 /* Update max_subkey_name_len in parent nk. */
2508 uint16_t max = le16toh (parent_nk->max_subkey_name_len);
2509 if (max < strlen (name) * 2) /* *2 because "recoded" in UTF16-LE. */
2510 parent_nk->max_subkey_name_len = htole16 (strlen (name) * 2);
2515 /* Decrement the refcount of an sk-record, and if it reaches zero,
2516 * unlink it from the chain and delete it.
2519 delete_sk (hive_h *h, size_t sk_offset)
2521 if (!IS_VALID_BLOCK (h, sk_offset) || !BLOCK_ID_EQ (h, sk_offset, "sk")) {
2523 fprintf (stderr, "delete_sk: not an sk record: 0x%zx\n", sk_offset);
2528 struct ntreg_sk_record *sk = (struct ntreg_sk_record *) (h->addr + sk_offset);
2530 if (sk->refcount == 0) {
2532 fprintf (stderr, "delete_sk: sk record already has refcount 0: 0x%zx\n",
2540 if (sk->refcount == 0) {
2541 size_t sk_prev_offset = sk->sk_prev;
2542 sk_prev_offset += 0x1000;
2544 size_t sk_next_offset = sk->sk_next;
2545 sk_next_offset += 0x1000;
2547 /* Update sk_prev/sk_next SKs, unless they both point back to this
2548 * cell in which case we are deleting the last SK.
2550 if (sk_prev_offset != sk_offset && sk_next_offset != sk_offset) {
2551 struct ntreg_sk_record *sk_prev =
2552 (struct ntreg_sk_record *) (h->addr + sk_prev_offset);
2553 struct ntreg_sk_record *sk_next =
2554 (struct ntreg_sk_record *) (h->addr + sk_next_offset);
2556 sk_prev->sk_next = htole32 (sk_next_offset - 0x1000);
2557 sk_next->sk_prev = htole32 (sk_prev_offset - 0x1000);
2560 /* Refcount is zero so really delete this block. */
2561 mark_block_unused (h, sk_offset);
2567 /* Callback from hivex_node_delete_child which is called to delete a
2568 * node AFTER its subnodes have been visited. The subnodes have been
2569 * deleted but we still have to delete any lf/lh/li/ri records and the
2570 * value list block and values, followed by deleting the node itself.
2573 delete_node (hive_h *h, void *opaque, hive_node_h node, const char *name)
2575 /* Get the intermediate blocks. The subkeys have already been
2576 * deleted by this point, so tell get_children() not to check for
2577 * validity of the nk-records.
2579 hive_node_h *unused;
2581 if (get_children (h, node, &unused, &blocks, GET_CHILDREN_NO_CHECK_NK) == -1)
2585 /* We don't care what's in these intermediate blocks, so we can just
2586 * delete them unconditionally.
2589 for (i = 0; blocks[i] != 0; ++i)
2590 mark_block_unused (h, blocks[i]);
2594 /* Delete the values in the node. */
2595 if (delete_values (h, node) == -1)
2598 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
2600 /* If the NK references an SK, delete it. */
2601 size_t sk_offs = le32toh (nk->sk);
2602 if (sk_offs != 0xffffffff) {
2604 if (delete_sk (h, sk_offs) == -1)
2606 nk->sk = htole32 (0xffffffff);
2609 /* If the NK references a classname, delete it. */
2610 size_t cl_offs = le32toh (nk->classname);
2611 if (cl_offs != 0xffffffff) {
2613 mark_block_unused (h, cl_offs);
2614 nk->classname = htole32 (0xffffffff);
2617 /* Delete the node itself. */
2618 mark_block_unused (h, node);
2624 hivex_node_delete_child (hive_h *h, hive_node_h node)
2631 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
2636 if (node == hivex_root (h)) {
2638 fprintf (stderr, "hivex_node_delete_child: cannot delete root node\n");
2643 hive_node_h parent = hivex_node_parent (h, node);
2647 /* Delete node and all its children and values recursively. */
2648 static const struct hivex_visitor visitor = { .node_end = delete_node };
2649 if (hivex_visit_node (h, node, &visitor, sizeof visitor, NULL, 0) == -1)
2652 /* Delete the link from parent to child. We need to find the lf/lh
2653 * record which contains the offset and remove the offset from that
2654 * record, then decrement the element count in that record, and
2655 * decrement the overall number of subkeys stored in the parent
2658 hive_node_h *unused;
2660 if (get_children (h, parent, &unused, &blocks, GET_CHILDREN_NO_CHECK_NK)== -1)
2665 for (i = 0; blocks[i] != 0; ++i) {
2666 struct ntreg_hbin_block *block =
2667 (struct ntreg_hbin_block *) (h->addr + blocks[i]);
2669 if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
2670 struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
2672 size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
2674 for (j = 0; j < nr_subkeys_in_lf; ++j)
2675 if (le32toh (lf->keys[j].offset) + 0x1000 == node) {
2676 for (; j < nr_subkeys_in_lf - 1; ++j)
2677 memcpy (&lf->keys[j], &lf->keys[j+1], sizeof (lf->keys[j]));
2678 lf->nr_keys = htole16 (nr_subkeys_in_lf - 1);
2684 fprintf (stderr, "hivex_node_delete_child: could not find parent"
2685 " to child link\n");
2690 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + parent);
2691 size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
2692 nk->nr_subkeys = htole32 (nr_subkeys_in_nk - 1);
2695 fprintf (stderr, "hivex_node_delete_child: updating nr_subkeys"
2696 " in parent 0x%zx to %zu\n", parent, nr_subkeys_in_nk);
2702 hivex_node_set_values (hive_h *h, hive_node_h node,
2703 size_t nr_values, const hive_set_value *values,
2711 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
2716 /* Delete all existing values. */
2717 if (delete_values (h, node) == -1)
2723 /* Allocate value list node. Value lists have no id field. */
2724 static const char nul_id[2] = { 0, 0 };
2726 sizeof (struct ntreg_value_list) + (nr_values - 1) * sizeof (uint32_t);
2727 size_t vallist_offs = allocate_block (h, seg_len, nul_id);
2728 if (vallist_offs == 0)
2731 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
2732 nk->nr_values = htole32 (nr_values);
2733 nk->vallist = htole32 (vallist_offs - 0x1000);
2735 struct ntreg_value_list *vallist =
2736 (struct ntreg_value_list *) (h->addr + vallist_offs);
2739 for (i = 0; i < nr_values; ++i) {
2740 /* Allocate vk record to store this (key, value) pair. */
2741 static const char vk_id[2] = { 'v', 'k' };
2742 seg_len = sizeof (struct ntreg_vk_record) + strlen (values[i].key);
2743 size_t vk_offs = allocate_block (h, seg_len, vk_id);
2747 /* Recalculate pointers that could have been invalidated by
2748 * previous call to allocate_block.
2750 nk = (struct ntreg_nk_record *) (h->addr + node);
2751 vallist = (struct ntreg_value_list *) (h->addr + vallist_offs);
2753 vallist->offset[i] = htole32 (vk_offs - 0x1000);
2755 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + vk_offs);
2756 size_t name_len = strlen (values[i].key);
2757 vk->name_len = htole16 (name_len);
2758 strcpy (vk->name, values[i].key);
2759 vk->data_type = htole32 (values[i].t);
2760 uint32_t len = values[i].len;
2761 if (len <= 4) /* store it inline => set MSB flag */
2763 vk->data_len = htole32 (len);
2764 vk->flags = name_len == 0 ? 0 : 1;
2766 if (values[i].len <= 4) /* store it inline */
2767 memcpy (&vk->data_offset, values[i].value, values[i].len);
2769 size_t offs = allocate_block (h, values[i].len + 4, nul_id);
2773 /* Recalculate pointers that could have been invalidated by
2774 * previous call to allocate_block.
2776 nk = (struct ntreg_nk_record *) (h->addr + node);
2777 vallist = (struct ntreg_value_list *) (h->addr + vallist_offs);
2778 vk = (struct ntreg_vk_record *) (h->addr + vk_offs);
2780 memcpy (h->addr + offs + 4, values[i].value, values[i].len);
2781 vk->data_offset = htole32 (offs - 0x1000);
2784 if (name_len * 2 > le32toh (nk->max_vk_name_len))
2785 /* * 2 for UTF16-LE "reencoding" */
2786 nk->max_vk_name_len = htole32 (name_len * 2);
2787 if (values[i].len > le32toh (nk->max_vk_data_len))
2788 nk->max_vk_data_len = htole32 (values[i].len);
2795 hivex_node_set_value (hive_h *h, hive_node_h node,
2796 const hive_set_value *val, int flags)
2798 hive_value_h *prev_values = hivex_node_values (h, node);
2799 if (prev_values == NULL)
2804 size_t nr_values = 0;
2805 for (hive_value_h *itr = prev_values; *itr != 0; ++itr)
2808 hive_set_value *values = malloc ((nr_values + 1) * (sizeof (hive_set_value)));
2810 goto leave_prev_values;
2813 int idx_of_val = -1;
2814 hive_value_h *prev_val;
2815 for (prev_val = prev_values; *prev_val != 0; ++prev_val) {
2819 hive_set_value *value = &values[prev_val - prev_values];
2821 char *valval = hivex_value_value (h, *prev_val, &t, &len);
2822 if (valval == NULL) goto leave_partial;
2825 value->value = valval;
2829 char *valkey = hivex_value_key (h, *prev_val);
2830 if (valkey == NULL) goto leave_partial;
2833 value->key = valkey;
2835 if (STRCASEEQ (valkey, val->key))
2836 idx_of_val = prev_val - prev_values;
2839 if (idx_of_val > -1) {
2840 free (values[idx_of_val].key);
2841 free (values[idx_of_val].value);
2843 idx_of_val = nr_values;
2847 hive_set_value *value = &values[idx_of_val];
2848 *value = (hive_set_value){
2849 .key = strdup (val->key),
2850 .value = malloc (val->len),
2855 if (value->key == NULL || value->value == NULL) goto leave_partial;
2856 memcpy (value->value, val->value, val->len);
2858 retval = hivex_node_set_values (h, node, nr_values, values, 0);
2861 for (int i = 0; i < alloc_ct; i += 2) {
2862 free (values[i / 2].value);
2863 if (i + 1 < alloc_ct && values[i / 2].key != NULL)
2864 free (values[i / 2].key);
git.annexia.org / hivex.git / blob