1 /* hivex - Windows Registry "hive" extraction library.
2 * Copyright (C) 2009 Red Hat Inc.
3 * Derived from code by Petter Nordahl-Hagen under a compatible license:
4 * Copyright (c) 1997-2007 Petter Nordahl-Hagen.
5 * Derived from code by Markus Stephany under a compatible license:
6 * Copyright (c) 2000-2004, Markus Stephany.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation;
11 * version 2.1 of the License.
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * See file LICENSE for the full license.
36 #ifdef HAVE_BYTESWAP_H
40 #if __BYTE_ORDER == __LITTLE_ENDIAN
42 #define be32toh(x) __bswap_32 (x)
45 #define be64toh(x) __bswap_64 (x)
48 #define le16toh(x) (x)
51 #define le32toh(x) (x)
54 #define le64toh(x) (x)
58 #define be32toh(x) (x)
61 #define be64toh(x) (x)
64 #define le16toh(x) __bswap_16 (x)
67 #define le32toh(x) __bswap_32 (x)
70 #define le64toh(x) __bswap_64 (x)
81 /* Memory-mapped (readonly) registry file. */
84 struct ntreg_header *hdr;
87 /* Use a bitmap to store which file offsets are valid (point to a
88 * used block). We only need to store 1 bit per 32 bits of the file
89 * (because blocks are 4-byte aligned). We found that the average
90 * block size in a registry file is ~50 bytes. So roughly 1 in 12
91 * bits in the bitmap will be set, making it likely a more efficient
92 * structure than a hash table.
95 #define BITMAP_SET(bitmap,off) (bitmap[(off)>>5] |= 1 << (((off)>>2)&7))
96 #define BITMAP_CLR(bitmap,off) (bitmap[(off)>>5] &= ~ (1 << (((off)>>2)&7)))
97 #define BITMAP_TST(bitmap,off) (bitmap[(off)>>5] & (1 << (((off)>>2)&7)))
98 #define IS_VALID_BLOCK(h,off) \
99 (((off) & 3) == 0 && \
101 (off) < (h)->size && \
102 BITMAP_TST((h)->bitmap,(off)))
104 /* Fields from the header, extracted from little-endianness. */
105 size_t rootoffs; /* Root key offset (always an nk-block). */
108 size_t pages; /* Number of hbin pages read. */
109 size_t blocks; /* Total number of blocks found. */
110 size_t used_blocks; /* Total number of used blocks found. */
111 size_t used_size; /* Total size (bytes) of used blocks. */
114 /* NB. All fields are little endian. */
115 struct ntreg_header {
116 char magic[4]; /* "regf" */
119 char last_modified[8];
120 uint32_t unknown3; /* 1 */
121 uint32_t unknown4; /* 3 */
122 uint32_t unknown5; /* 0 */
123 uint32_t unknown6; /* 1 */
124 uint32_t offset; /* offset of root key record - 4KB */
125 uint32_t blocks; /* size in bytes of data (filesize - 4KB) */
126 uint32_t unknown7; /* 1 */
127 char name[0x1fc-0x2c];
128 uint32_t csum; /* checksum: sum of 32 bit words 0-0x1fb. */
129 } __attribute__((__packed__));
131 struct ntreg_hbin_page {
132 char magic[4]; /* "hbin" */
133 uint32_t offset_first; /* offset from 1st block */
134 uint32_t offset_next; /* offset of next (relative to this) */
136 /* Linked list of blocks follows here. */
137 } __attribute__((__packed__));
139 struct ntreg_hbin_block {
140 int32_t seg_len; /* length of this block (-ve for used block) */
141 char id[2]; /* the block type (eg. "nk" for nk record) */
142 /* Block data follows here. */
143 } __attribute__((__packed__));
145 #define BLOCK_ID_EQ(h,offs,eqid) \
146 (STREQLEN (((struct ntreg_hbin_block *)((h)->addr + (offs)))->id, (eqid), 2))
149 block_len (hive_h *h, size_t blkoff, int *used)
151 struct ntreg_hbin_block *block;
152 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
154 int32_t len = le32toh (block->seg_len);
165 struct ntreg_nk_record {
166 int32_t seg_len; /* length (always -ve because used) */
167 char id[2]; /* "nk" */
170 uint32_t parent; /* offset of owner/parent */
171 uint32_t nr_subkeys; /* number of subkeys */
173 uint32_t subkey_lf; /* lf record containing list of subkeys */
175 uint32_t nr_values; /* number of values */
176 uint32_t vallist; /* value-list record */
177 uint32_t sk; /* offset of sk-record */
178 uint32_t classname; /* offset of classname record */
181 uint16_t name_len; /* length of name */
182 uint16_t classname_len; /* length of classname */
183 char name[1]; /* name follows here */
184 } __attribute__((__packed__));
186 struct ntreg_lf_record {
188 char id[2]; /* "lf" */
189 uint16_t nr_keys; /* number of keys in this record */
191 uint32_t offset; /* offset of nk-record for this subkey */
192 char name[4]; /* first 4 characters of subkey name */
194 } __attribute__((__packed__));
196 struct ntreg_ri_record {
198 char id[2]; /* "ri" */
199 uint16_t nr_offsets; /* number of pointers to lh records */
200 uint32_t offset[1]; /* list of pointers to lh records */
201 } __attribute__((__packed__));
203 /* This has no ID header. */
204 struct ntreg_value_list {
206 uint32_t offset[1]; /* list of pointers to vk records */
207 } __attribute__((__packed__));
209 struct ntreg_vk_record {
210 int32_t seg_len; /* length (always -ve because used) */
211 char id[2]; /* "vk" */
212 uint16_t name_len; /* length of name */
213 /* length of the data:
214 * If data_len is <= 4, then it's stored inline.
215 * If data_len is 0x80000000, then it's an inline dword.
216 * Top bit may be set or not set at random.
219 uint32_t data_offset; /* pointer to the data (or data if inline) */
220 hive_type data_type; /* type of the data */
221 uint16_t unknown1; /* possibly always 1 */
223 char name[1]; /* key name follows here */
224 } __attribute__((__packed__));
227 hivex_open (const char *filename, int flags)
231 h = calloc (1, sizeof *h);
235 h->msglvl = flags & HIVEX_OPEN_MSGLVL_MASK;
237 const char *debug = getenv ("HIVEX_DEBUG");
238 if (debug && STREQ (debug, "1"))
242 printf ("hivex_open: created handle %p\n", h);
244 h->fd = open (filename, O_RDONLY);
249 if (fstat (h->fd, &statbuf) == -1)
252 h->size = statbuf.st_size;
254 h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
255 if (h->addr == MAP_FAILED)
259 printf ("hivex_open: mapped file at %p\n", h->addr);
262 if (h->hdr->magic[0] != 'r' ||
263 h->hdr->magic[1] != 'e' ||
264 h->hdr->magic[2] != 'g' ||
265 h->hdr->magic[3] != 'f') {
266 fprintf (stderr, "hivex: %s: not a Windows NT Registry hive file\n",
272 h->bitmap = calloc (1 + h->size / 32, 1);
273 if (h->bitmap == NULL)
276 #if 0 /* Doesn't work. */
277 /* Header checksum. */
278 uint32_t *daddr = h->addr;
281 for (i = 0; i < 0x1fc / 4; ++i) {
282 sum += le32toh (*daddr);
285 if (sum != le32toh (h->hdr->csum)) {
286 fprintf (stderr, "hivex: %s: bad checksum in hive header\n", filename);
292 h->rootoffs = le32toh (h->hdr->offset) + 0x1000;
295 printf ("hivex_open: root offset = %zu\n", h->rootoffs);
297 /* We'll set this flag when we see a block with the root offset (ie.
300 int seen_root_block = 0, bad_root_block = 0;
302 /* Read the pages and blocks. The aim here is to be robust against
303 * corrupt or malicious registries. So we make sure the loops
304 * always make forward progress. We add the address of each block
305 * we read to a hash table so pointers will only reference the start
309 struct ntreg_hbin_page *page;
310 for (off = 0x1000; off < h->size; off += le32toh (page->offset_next)) {
313 page = (struct ntreg_hbin_page *) (h->addr + off);
314 if (page->magic[0] != 'h' ||
315 page->magic[1] != 'b' ||
316 page->magic[2] != 'i' ||
317 page->magic[3] != 'n') {
318 /* This error is seemingly common in uncorrupt registry files. */
320 fprintf (stderr, "hivex: %s: ignoring trailing garbage at end of file (at %zu, after %zu pages)\n",
321 filename, off, h->pages);
327 printf ("hivex_open: page at %zu\n", off);
329 if (le32toh (page->offset_next) <= sizeof (struct ntreg_hbin_page) ||
330 (le32toh (page->offset_next) & 3) != 0) {
331 fprintf (stderr, "hivex: %s: pagesize %d at %zu, bad registry\n",
332 filename, le32toh (page->offset_next), off);
337 /* Read the blocks in this page. */
339 struct ntreg_hbin_block *block;
341 for (blkoff = off + 0x20;
342 blkoff < off + le32toh (page->offset_next);
346 int is_root = blkoff == h->rootoffs;
350 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
352 seg_len = block_len (h, blkoff, &used);
353 if (seg_len <= 4 || (seg_len & 3) != 0) {
354 fprintf (stderr, "hivex: %s: block size %d at %zu, bad registry\n",
355 filename, le32toh (block->seg_len), blkoff);
361 printf ("hivex_open: %s block id %d,%d at %zu%s\n",
362 used ? "used" : "free", block->id[0], block->id[1], blkoff,
363 is_root ? " (root)" : "");
365 if (is_root && !used)
370 h->used_size += seg_len;
372 /* Root block must be an nk-block. */
373 if (is_root && (block->id[0] != 'n' || block->id[1] != 'k'))
376 /* Note this blkoff is a valid address. */
377 BITMAP_SET (h->bitmap, blkoff);
382 if (!seen_root_block) {
383 fprintf (stderr, "hivex: %s: no root block found\n", filename);
388 if (bad_root_block) {
389 fprintf (stderr, "hivex: %s: bad root block (free or not nk)\n", filename);
395 printf ("hivex_open: successfully read Windows Registry hive file:\n"
398 " blocks used: %zu\n"
399 " bytes used: %zu\n",
400 h->pages, h->blocks, h->used_blocks, h->used_size);
408 if (h->addr && h->size && h->addr != MAP_FAILED)
409 munmap (h->addr, h->size);
419 hivex_close (hive_h *h)
424 munmap (h->addr, h->size);
432 hivex_root (hive_h *h)
434 hive_node_h ret = h->rootoffs;
435 if (!IS_VALID_BLOCK (h, ret)) {
443 hivex_node_name (hive_h *h, hive_node_h node)
445 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
450 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
452 /* AFAIK the node name is always plain ASCII, so no conversion
453 * to UTF-8 is necessary. However we do need to nul-terminate
457 /* nk->name_len is unsigned, 16 bit, so this is safe ... However
458 * we have to make sure the length doesn't exceed the block length.
460 size_t len = le16toh (nk->name_len);
461 size_t seg_len = block_len (h, node, NULL);
462 if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) {
464 printf ("hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n",
470 char *ret = malloc (len + 1);
473 memcpy (ret, nk->name, len);
479 /* I think the documentation for the sk and classname fields in the nk
480 * record is wrong, or else the offset field is in the wrong place.
481 * Otherwise this makes no sense. Disabled this for now -- it's not
482 * useful for reading the registry anyway.
486 hivex_node_security (hive_h *h, hive_node_h node)
488 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
493 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
495 hive_node_h ret = le32toh (nk->sk);
497 if (!IS_VALID_BLOCK (h, ret)) {
505 hivex_node_classname (hive_h *h, hive_node_h node)
507 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
512 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
514 hive_node_h ret = le32toh (nk->classname);
516 if (!IS_VALID_BLOCK (h, ret)) {
525 hivex_node_children (hive_h *h, hive_node_h node)
527 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
532 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
534 size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
536 /* Deal with the common "no subkeys" case quickly. */
538 if (nr_subkeys_in_nk == 0) {
539 ret = malloc (sizeof (hive_node_h));
546 /* Arbitrarily limit the number of subkeys we will ever deal with. */
547 if (nr_subkeys_in_nk > 1000000) {
552 /* The subkey_lf field can point either to an lf-record, which is
553 * the common case, or if there are lots of subkeys, to an
556 size_t subkey_lf = le32toh (nk->subkey_lf);
558 if (!IS_VALID_BLOCK (h, subkey_lf)) {
560 printf ("hivex_node_children: returning EFAULT because subkey_lf is not a valid block (%zu)\n",
566 struct ntreg_hbin_block *block =
567 (struct ntreg_hbin_block *) (h->addr + subkey_lf);
569 /* Points to lf-record? (Note, also "lh" but that is basically the
570 * same as "lf" as far as we are concerned here).
572 if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
573 struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
575 /* Check number of subkeys in the nk-record matches number of subkeys
578 size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
581 printf ("hivex_node_children: nr_subkeys_in_nk = %zu, nr_subkeys_in_lf = %zu\n",
582 nr_subkeys_in_nk, nr_subkeys_in_lf);
584 if (nr_subkeys_in_nk != nr_subkeys_in_lf) {
589 size_t len = block_len (h, subkey_lf, NULL);
590 if (8 + nr_subkeys_in_lf * 8 > len) {
592 printf ("hivex_node_children: returning EFAULT because too many subkeys (%zu, %zu)\n",
593 nr_subkeys_in_lf, len);
598 /* Allocate space for the returned values. Note that
599 * nr_subkeys_in_lf is limited to a 16 bit value.
601 ret = malloc ((1 + nr_subkeys_in_lf) * sizeof (hive_node_h));
606 for (i = 0; i < nr_subkeys_in_lf; ++i) {
607 hive_node_h subkey = lf->keys[i].offset;
609 if (!IS_VALID_BLOCK (h, subkey)) {
611 printf ("hivex_node_children: returning EFAULT because subkey is not a valid block (%zu)\n",
622 /* Points to ri-record? */
623 else if (block->id[0] == 'r' && block->id[1] == 'i') {
624 struct ntreg_ri_record *ri = (struct ntreg_ri_record *) block;
626 size_t nr_offsets = le16toh (ri->nr_offsets);
628 /* Count total number of children. */
630 for (i = 0; i < nr_offsets; ++i) {
631 hive_node_h offset = ri->offset[i];
633 if (!IS_VALID_BLOCK (h, offset)) {
635 printf ("hivex_node_children: returning EFAULT because ri-offset is not a valid block (%zu)\n",
640 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
645 struct ntreg_lf_record *lf =
646 (struct ntreg_lf_record *) (h->addr + offset);
648 count += le16toh (lf->nr_keys);
652 printf ("hivex_node_children: nr_subkeys_in_nk = %zu, counted = %zu\n",
653 nr_subkeys_in_nk, count);
655 if (nr_subkeys_in_nk != count) {
660 /* Copy list of children. Note nr_subkeys_in_nk is limited to
661 * something reasonable above.
663 ret = malloc ((1 + nr_subkeys_in_nk) * sizeof (hive_node_h));
668 for (i = 0; i < nr_offsets; ++i) {
669 hive_node_h offset = ri->offset[i];
671 if (!IS_VALID_BLOCK (h, offset)) {
673 printf ("hivex_node_children: returning EFAULT because ri-offset is not a valid block (%zu)\n",
678 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
683 struct ntreg_lf_record *lf =
684 (struct ntreg_lf_record *) (h->addr + offset);
687 for (j = 0; j < le16toh (lf->nr_keys); ++j) {
688 hive_node_h subkey = lf->keys[j].offset;
690 if (!IS_VALID_BLOCK (h, subkey)) {
692 printf ("hivex_node_children: returning EFAULT because indirect subkey is not a valid block (%zu)\n",
698 ret[count++] = subkey;
711 /* Very inefficient, but at least having a separate API call
712 * allows us to make it more efficient in future.
715 hivex_node_get_child (hive_h *h, hive_node_h node, const char *nname)
717 hive_node_h *children = NULL;
721 children = hivex_node_children (h, node);
722 if (!children) goto error;
725 for (i = 0; children[i] != 0; ++i) {
726 name = hivex_node_name (h, children[i]);
727 if (!name) goto error;
728 if (STRCASEEQ (name, nname)) {
732 free (name); name = NULL;
742 hivex_node_parent (hive_h *h, hive_node_h node)
744 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
749 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
751 hive_node_h ret = le32toh (nk->parent);
753 printf ("parent = %zu\n", ret);
754 if (!IS_VALID_BLOCK (h, ret)) {
756 printf ("hivex_node_parent: returning EFAULT because parent is not a valid block (%zu)\n",
765 hivex_node_values (hive_h *h, hive_node_h node)
767 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
772 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
774 size_t nr_values = le32toh (nk->nr_values);
777 printf ("hivex_node_values: nr_values = %zu\n", nr_values);
779 /* Deal with the common "no values" case quickly. */
781 if (nr_values == 0) {
782 ret = malloc (sizeof (hive_node_h));
789 /* Arbitrarily limit the number of values we will ever deal with. */
790 if (nr_values > 100000) {
795 /* Get the value list and check it looks reasonable. */
796 size_t vlist_offset = le32toh (nk->vallist);
797 vlist_offset += 0x1000;
798 if (!IS_VALID_BLOCK (h, vlist_offset)) {
800 printf ("hivex_node_values: returning EFAULT because value list is not a valid block (%zu)\n",
806 struct ntreg_value_list *vlist =
807 (struct ntreg_value_list *) (h->addr + vlist_offset);
809 size_t len = block_len (h, vlist_offset, NULL);
810 if (4 + nr_values * 4 > len) {
812 printf ("hivex_node_values: returning EFAULT because value list is too long (%zu, %zu)\n",
818 /* Allocate return array and copy values in. */
819 ret = malloc ((1 + nr_values) * sizeof (hive_node_h));
824 for (i = 0; i < nr_values; ++i) {
825 hive_node_h value = vlist->offset[i];
827 if (!IS_VALID_BLOCK (h, value)) {
829 printf ("hivex_node_values: returning EFAULT because value is not a valid block (%zu)\n",
842 /* Very inefficient, but at least having a separate API call
843 * allows us to make it more efficient in future.
846 hivex_node_get_value (hive_h *h, hive_node_h node, const char *key)
848 hive_value_h *values = NULL;
850 hive_value_h ret = 0;
852 values = hivex_node_values (h, node);
853 if (!values) goto error;
856 for (i = 0; values[i] != 0; ++i) {
857 name = hivex_value_key (h, values[i]);
858 if (!name) goto error;
859 if (STRCASEEQ (name, key)) {
863 free (name); name = NULL;
873 hivex_value_key (hive_h *h, hive_value_h value)
875 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
880 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
882 /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is
883 * necessary. However we do need to nul-terminate the string.
886 /* vk->name_len is unsigned, 16 bit, so this is safe ... However
887 * we have to make sure the length doesn't exceed the block length.
889 size_t len = le16toh (vk->name_len);
890 size_t seg_len = block_len (h, value, NULL);
891 if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
893 printf ("hivex_value_key: returning EFAULT because key length is too long (%zu, %zu)\n",
899 char *ret = malloc (len + 1);
902 memcpy (ret, vk->name, len);
908 hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len)
910 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
915 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
918 *t = le32toh (vk->data_type);
921 *len = le32toh (vk->data_len);
922 if (*len == 0x80000000) { /* special case */
924 if (t) *t = hive_t_dword;
933 hivex_value_value (hive_h *h, hive_value_h value,
934 hive_type *t_rtn, size_t *len_rtn)
936 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
941 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
946 t = le32toh (vk->data_type);
948 len = le32toh (vk->data_len);
949 if (len == 0x80000000) { /* special case */
956 printf ("hivex_value_value: value=%zu, t=%d, len=%zu\n",
964 /* Arbitrarily limit the length that we will read. */
970 char *ret = malloc (len);
974 /* If length is <= 4 it's always stored inline. */
976 memcpy (ret, (char *) &vk->data_offset, len);
980 size_t data_offset = vk->data_offset;
981 data_offset += 0x1000;
982 if (!IS_VALID_BLOCK (h, data_offset)) {
984 printf ("hivex_value_value: returning EFAULT because data offset is not a valid block (%zu)\n",
991 /* Check that the declared size isn't larger than the block its in. */
992 size_t blen = block_len (h, data_offset, NULL);
995 printf ("hivex_value_value: returning EFAULT because data is longer than its block (%zu, %zu)\n",
1002 char *data = h->addr + data_offset + 4;
1003 memcpy (ret, data, len);
1008 windows_utf16_to_utf8 (/* const */ char *input, size_t len)
1010 iconv_t ic = iconv_open ("UTF-8", "UTF-16");
1011 if (ic == (iconv_t) -1)
1014 /* iconv(3) has an insane interface ... */
1016 /* Mostly UTF-8 will be smaller, so this is a good initial guess. */
1017 size_t outalloc = len;
1021 size_t outlen = outalloc;
1022 char *out = malloc (outlen + 1);
1032 size_t r = iconv (ic, &inp, &inlen, &outp, &outlen);
1033 if (r == (size_t) -1) {
1034 if (errno == E2BIG) {
1035 size_t prev = outalloc;
1036 /* Try again with a larger output buffer. */
1039 if (outalloc < prev)
1044 /* Else some conversion failure, eg. EILSEQ, EINVAL. */
1060 hivex_value_string (hive_h *h, hive_value_h value)
1064 char *data = hivex_value_value (h, value, &t, &len);
1069 if (t != hive_t_string && t != hive_t_expand_string && t != hive_t_link) {
1075 char *ret = windows_utf16_to_utf8 (data, len);
1084 free_strings (char **argv)
1089 for (i = 0; argv[i] != NULL; ++i)
1095 /* Get the length of a UTF-16 format string. Handle the string as
1096 * pairs of bytes, looking for the first \0\0 pair.
1099 utf16_string_len_in_bytes (const char *str)
1103 while (str[0] || str[1]) {
1111 /* http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
1113 hivex_value_multiple_strings (hive_h *h, hive_value_h value)
1117 char *data = hivex_value_value (h, value, &t, &len);
1122 if (t != hive_t_multiple_strings) {
1128 size_t nr_strings = 0;
1129 char **ret = malloc ((1 + nr_strings) * sizeof (char *));
1139 while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) {
1141 char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
1149 ret[nr_strings-1] = windows_utf16_to_utf8 (p, plen);
1150 ret[nr_strings] = NULL;
1151 if (ret[nr_strings-1] == NULL) {
1157 p += plen + 2 /* skip over UTF-16 \0\0 at the end of this string */;
1165 hivex_value_dword (hive_h *h, hive_value_h value)
1169 char *data = hivex_value_value (h, value, &t, &len);
1174 if ((t != hive_t_dword && t != hive_t_dword_be) || len != 4) {
1180 int32_t ret = *(int32_t*)data;
1182 if (t == hive_t_dword) /* little endian */
1183 ret = le32toh (ret);
1185 ret = be32toh (ret);
1191 hivex_value_qword (hive_h *h, hive_value_h value)
1195 char *data = hivex_value_value (h, value, &t, &len);
1200 if (t != hive_t_qword || len != 8) {
1206 int64_t ret = *(int64_t*)data;
1208 ret = le64toh (ret); /* always little endian */
1214 hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len,
1215 void *opaque, int flags)
1217 return hivex_visit_node (h, hivex_root (h), visitor, len, opaque, flags);
1220 static int hivex__visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *vtor, char *unvisited, void *opaque, int flags);
1223 hivex_visit_node (hive_h *h, hive_node_h node,
1224 const struct hivex_visitor *visitor, size_t len, void *opaque,
1227 struct hivex_visitor vtor;
1228 memset (&vtor, 0, sizeof vtor);
1230 /* Note that len might be larger *or smaller* than the expected size. */
1231 size_t copysize = len <= sizeof vtor ? len : sizeof vtor;
1232 memcpy (&vtor, visitor, copysize);
1234 /* This bitmap records unvisited nodes, so we don't loop if the
1235 * registry contains cycles.
1237 char *unvisited = malloc (1 + h->size / 32);
1238 if (unvisited == NULL)
1240 memcpy (unvisited, h->bitmap, 1 + h->size / 32);
1242 int r = hivex__visit_node (h, node, &vtor, unvisited, opaque, flags);
1248 hivex__visit_node (hive_h *h, hive_node_h node,
1249 const struct hivex_visitor *vtor, char *unvisited,
1250 void *opaque, int flags)
1252 int skip_bad = flags & HIVEX_VISIT_SKIP_BAD;
1254 hive_value_h *values = NULL;
1255 hive_node_h *children = NULL;
1261 /* Return -1 on all callback errors. However on internal errors,
1262 * check if skip_bad is set and suppress those errors if so.
1266 if (!BITMAP_TST (unvisited, node)) {
1268 printf ("hivex__visit_node: contains cycle: visited node %zu already\n",
1272 return skip_bad ? 0 : -1;
1274 BITMAP_CLR (unvisited, node);
1276 name = hivex_node_name (h, node);
1277 if (!name) return skip_bad ? 0 : -1;
1278 if (vtor->node_start && vtor->node_start (h, opaque, node, name) == -1)
1281 values = hivex_node_values (h, node);
1283 ret = skip_bad ? 0 : -1;
1287 for (i = 0; values[i] != 0; ++i) {
1291 if (hivex_value_type (h, values[i], &t, &len) == -1) {
1292 ret = skip_bad ? 0 : -1;
1296 key = hivex_value_key (h, values[i]);
1298 ret = skip_bad ? 0 : -1;
1304 str = hivex_value_value (h, values[i], &t, &len);
1306 ret = skip_bad ? 0 : -1;
1309 if (t != hive_t_none) {
1310 ret = skip_bad ? 0 : -1;
1313 if (vtor->value_none &&
1314 vtor->value_none (h, opaque, node, values[i], t, len, key, str) == -1)
1316 free (str); str = NULL;
1320 case hive_t_expand_string:
1322 str = hivex_value_string (h, values[i]);
1324 if (errno != EILSEQ && errno != EINVAL) {
1325 ret = skip_bad ? 0 : -1;
1328 if (vtor->value_string_invalid_utf16) {
1329 str = hivex_value_value (h, values[i], &t, &len);
1330 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
1332 free (str); str = NULL;
1336 if (vtor->value_string &&
1337 vtor->value_string (h, opaque, node, values[i], t, len, key, str) == -1)
1339 free (str); str = NULL;
1343 case hive_t_dword_be: {
1344 int32_t i32 = hivex_value_dword (h, values[i]);
1345 if (vtor->value_dword &&
1346 vtor->value_dword (h, opaque, node, values[i], t, len, key, i32) == -1)
1351 case hive_t_qword: {
1352 int64_t i64 = hivex_value_qword (h, values[i]);
1353 if (vtor->value_qword &&
1354 vtor->value_qword (h, opaque, node, values[i], t, len, key, i64) == -1)
1360 str = hivex_value_value (h, values[i], &t, &len);
1362 ret = skip_bad ? 0 : -1;
1365 if (t != hive_t_binary) {
1366 ret = skip_bad ? 0 : -1;
1369 if (vtor->value_binary &&
1370 vtor->value_binary (h, opaque, node, values[i], t, len, key, str) == -1)
1372 free (str); str = NULL;
1375 case hive_t_multiple_strings:
1376 strs = hivex_value_multiple_strings (h, values[i]);
1378 if (errno != EILSEQ && errno != EINVAL) {
1379 ret = skip_bad ? 0 : -1;
1382 if (vtor->value_string_invalid_utf16) {
1383 str = hivex_value_value (h, values[i], &t, &len);
1384 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
1386 free (str); str = NULL;
1390 if (vtor->value_multiple_strings &&
1391 vtor->value_multiple_strings (h, opaque, node, values[i], t, len, key, strs) == -1)
1393 free_strings (strs); strs = NULL;
1396 case hive_t_resource_list:
1397 case hive_t_full_resource_description:
1398 case hive_t_resource_requirements_list:
1400 str = hivex_value_value (h, values[i], &t, &len);
1402 ret = skip_bad ? 0 : -1;
1405 if (vtor->value_other &&
1406 vtor->value_other (h, opaque, node, values[i], t, len, key, str) == -1)
1408 free (str); str = NULL;
1412 free (key); key = NULL;
1415 children = hivex_node_children (h, node);
1416 if (children == NULL) {
1417 ret = skip_bad ? 0 : -1;
1421 for (i = 0; children[i] != 0; ++i) {
1423 printf ("hivex__visit_node: %s: visiting subkey %d (%zu)\n",
1424 name, i, children[i]);
1426 if (hivex__visit_node (h, children[i], vtor, unvisited, opaque, flags) == -1)
1430 if (vtor->node_end && vtor->node_end (h, opaque, node, name) == -1)
1441 free_strings (strs);
git.annexia.org / libguestfs.git / blob