1 /* hivex - Windows Registry "hive" extraction library.
2 * Copyright (C) 2009-2010 Red Hat Inc.
3 * Derived from code by Petter Nordahl-Hagen under a compatible license:
4 * Copyright (c) 1997-2007 Petter Nordahl-Hagen.
5 * Derived from code by Markus Stephany under a compatible license:
6 * Copyright (c) 2000-2004, Markus Stephany.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation;
11 * version 2.1 of the License.
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * See file LICENSE for the full license.
37 #include "full-read.h"
43 #define STREQ(a,b) (strcmp((a),(b)) == 0)
44 #define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
45 //#define STRNEQ(a,b) (strcmp((a),(b)) != 0)
46 //#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
47 #define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
48 //#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
49 //#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
50 //#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
51 //#define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
54 #include "byte_conversions.h"
56 static char *windows_utf16_to_utf8 (/* const */ char *input, size_t len);
65 /* Registry file, memory mapped if read-only, or malloc'd if writing. */
68 struct ntreg_header *hdr;
71 /* Use a bitmap to store which file offsets are valid (point to a
72 * used block). We only need to store 1 bit per 32 bits of the file
73 * (because blocks are 4-byte aligned). We found that the average
74 * block size in a registry file is ~50 bytes. So roughly 1 in 12
75 * bits in the bitmap will be set, making it likely a more efficient
76 * structure than a hash table.
79 #define BITMAP_SET(bitmap,off) (bitmap[(off)>>5] |= 1 << (((off)>>2)&7))
80 #define BITMAP_CLR(bitmap,off) (bitmap[(off)>>5] &= ~ (1 << (((off)>>2)&7)))
81 #define BITMAP_TST(bitmap,off) (bitmap[(off)>>5] & (1 << (((off)>>2)&7)))
82 #define IS_VALID_BLOCK(h,off) \
83 (((off) & 3) == 0 && \
85 (off) < (h)->size && \
86 BITMAP_TST((h)->bitmap,(off)))
88 /* Fields from the header, extracted from little-endianness hell. */
89 size_t rootoffs; /* Root key offset (always an nk-block). */
90 size_t endpages; /* Offset of end of pages. */
93 /* NB. All fields are little endian. */
95 char magic[4]; /* "regf" */
98 char last_modified[8];
99 uint32_t major_ver; /* 1 */
100 uint32_t minor_ver; /* 3 */
101 uint32_t unknown5; /* 0 */
102 uint32_t unknown6; /* 1 */
103 uint32_t offset; /* offset of root key record - 4KB */
104 uint32_t blocks; /* pointer AFTER last hbin in file - 4KB */
105 uint32_t unknown7; /* 1 */
107 char name[64]; /* original file name of hive */
108 char unknown_guid1[16];
109 char unknown_guid2[16];
112 char unknown_guid3[16];
117 uint32_t csum; /* checksum: xor of dwords 0-0x1fb. */
119 char unknown11[3528];
121 char unknown_guid4[16];
122 char unknown_guid5[16];
123 char unknown_guid6[16];
127 } __attribute__((__packed__));
129 struct ntreg_hbin_page {
130 char magic[4]; /* "hbin" */
131 uint32_t offset_first; /* offset from 1st block */
132 uint32_t page_size; /* size of this page (multiple of 4KB) */
134 /* Linked list of blocks follows here. */
135 } __attribute__((__packed__));
137 struct ntreg_hbin_block {
138 int32_t seg_len; /* length of this block (-ve for used block) */
139 char id[2]; /* the block type (eg. "nk" for nk record) */
140 /* Block data follows here. */
141 } __attribute__((__packed__));
143 #define BLOCK_ID_EQ(h,offs,eqid) \
144 (STREQLEN (((struct ntreg_hbin_block *)((h)->addr + (offs)))->id, (eqid), 2))
147 block_len (hive_h *h, size_t blkoff, int *used)
149 struct ntreg_hbin_block *block;
150 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
152 int32_t len = le32toh (block->seg_len);
163 struct ntreg_nk_record {
164 int32_t seg_len; /* length (always -ve because used) */
165 char id[2]; /* "nk" */
169 uint32_t parent; /* offset of owner/parent */
170 uint32_t nr_subkeys; /* number of subkeys */
171 uint32_t nr_subkeys_volatile;
172 uint32_t subkey_lf; /* lf record containing list of subkeys */
173 uint32_t subkey_lf_volatile;
174 uint32_t nr_values; /* number of values */
175 uint32_t vallist; /* value-list record */
176 uint32_t sk; /* offset of sk-record */
177 uint32_t classname; /* offset of classname record */
178 uint16_t max_subkey_name_len; /* maximum length of a subkey name in bytes
179 if the subkey was reencoded as UTF-16LE */
182 uint32_t max_vk_name_len; /* maximum length of any vk name in bytes
183 if the name was reencoded as UTF-16LE */
184 uint32_t max_vk_data_len; /* maximum length of any vk data in bytes */
186 uint16_t name_len; /* length of name */
187 uint16_t classname_len; /* length of classname */
188 char name[1]; /* name follows here */
189 } __attribute__((__packed__));
191 struct ntreg_lf_record {
193 char id[2]; /* "lf" */
194 uint16_t nr_keys; /* number of keys in this record */
196 uint32_t offset; /* offset of nk-record for this subkey */
197 char hash[4]; /* hash of subkey name */
199 } __attribute__((__packed__));
201 struct ntreg_ri_record {
203 char id[2]; /* "ri" */
204 uint16_t nr_offsets; /* number of pointers to lh records */
205 uint32_t offset[1]; /* list of pointers to lh records */
206 } __attribute__((__packed__));
208 /* This has no ID header. */
209 struct ntreg_value_list {
211 uint32_t offset[1]; /* list of pointers to vk records */
212 } __attribute__((__packed__));
214 struct ntreg_vk_record {
215 int32_t seg_len; /* length (always -ve because used) */
216 char id[2]; /* "vk" */
217 uint16_t name_len; /* length of name */
218 /* length of the data:
219 * If data_len is <= 4, then it's stored inline.
220 * If data_len is 0x80000000, then it's an inline dword.
221 * Top bit may be set or not set at random.
224 uint32_t data_offset; /* pointer to the data (or data if inline) */
225 uint32_t data_type; /* type of the data */
226 uint16_t flags; /* bit 0 set => key name ASCII,
227 bit 0 clr => key name UTF-16.
228 Only seen ASCII here in the wild.
229 NB: this is CLEAR for default key. */
231 char name[1]; /* key name follows here */
232 } __attribute__((__packed__));
235 header_checksum (const hive_h *h)
237 uint32_t *daddr = (uint32_t *) h->addr;
241 for (i = 0; i < 0x1fc / 4; ++i) {
242 sum ^= le32toh (*daddr);
250 hivex_open (const char *filename, int flags)
254 assert (sizeof (struct ntreg_header) == 0x1000);
255 assert (offsetof (struct ntreg_header, csum) == 0x1fc);
257 h = calloc (1, sizeof *h);
261 h->msglvl = flags & HIVEX_OPEN_MSGLVL_MASK;
263 const char *debug = getenv ("HIVEX_DEBUG");
264 if (debug && STREQ (debug, "1"))
268 fprintf (stderr, "hivex_open: created handle %p\n", h);
270 h->writable = !!(flags & HIVEX_OPEN_WRITE);
271 h->filename = strdup (filename);
272 if (h->filename == NULL)
275 h->fd = open (filename, O_RDONLY | O_CLOEXEC);
280 if (fstat (h->fd, &statbuf) == -1)
283 h->size = statbuf.st_size;
286 h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
287 if (h->addr == MAP_FAILED)
291 fprintf (stderr, "hivex_open: mapped file at %p\n", h->addr);
293 h->addr = malloc (h->size);
297 if (full_read (h->fd, h->addr, h->size) < h->size)
302 if (h->hdr->magic[0] != 'r' ||
303 h->hdr->magic[1] != 'e' ||
304 h->hdr->magic[2] != 'g' ||
305 h->hdr->magic[3] != 'f') {
306 fprintf (stderr, "hivex: %s: not a Windows NT Registry hive file\n",
312 /* Check major version. */
313 uint32_t major_ver = le32toh (h->hdr->major_ver);
314 if (major_ver != 1) {
316 "hivex: %s: hive file major version %" PRIu32 " (expected 1)\n",
317 filename, major_ver);
322 h->bitmap = calloc (1 + h->size / 32, 1);
323 if (h->bitmap == NULL)
326 /* Header checksum. */
327 uint32_t sum = header_checksum (h);
328 if (sum != le32toh (h->hdr->csum)) {
329 fprintf (stderr, "hivex: %s: bad checksum in hive header\n", filename);
334 if (h->msglvl >= 2) {
335 char *name = windows_utf16_to_utf8 (h->hdr->name, 64);
338 "hivex_open: header fields:\n"
339 " file version %" PRIu32 ".%" PRIu32 "\n"
340 " sequence nos %" PRIu32 " %" PRIu32 "\n"
341 " (sequences nos should match if hive was synched at shutdown)\n"
342 " original file name %s\n"
343 " (only 32 chars are stored, name is probably truncated)\n"
344 " root offset 0x%x + 0x1000\n"
345 " end of last page 0x%x + 0x1000 (total file size 0x%zx)\n"
346 " checksum 0x%x (calculated 0x%x)\n",
347 major_ver, le32toh (h->hdr->minor_ver),
348 le32toh (h->hdr->sequence1), le32toh (h->hdr->sequence2),
349 name ? name : "(conversion failed)",
350 le32toh (h->hdr->offset),
351 le32toh (h->hdr->blocks), h->size,
352 le32toh (h->hdr->csum), sum);
356 h->rootoffs = le32toh (h->hdr->offset) + 0x1000;
357 h->endpages = le32toh (h->hdr->blocks) + 0x1000;
360 fprintf (stderr, "hivex_open: root offset = 0x%zx\n", h->rootoffs);
362 /* We'll set this flag when we see a block with the root offset (ie.
365 int seen_root_block = 0, bad_root_block = 0;
367 /* Collect some stats. */
368 size_t pages = 0; /* Number of hbin pages read. */
369 size_t smallest_page = SIZE_MAX, largest_page = 0;
370 size_t blocks = 0; /* Total number of blocks found. */
371 size_t smallest_block = SIZE_MAX, largest_block = 0, blocks_bytes = 0;
372 size_t used_blocks = 0; /* Total number of used blocks found. */
373 size_t used_size = 0; /* Total size (bytes) of used blocks. */
375 /* Read the pages and blocks. The aim here is to be robust against
376 * corrupt or malicious registries. So we make sure the loops
377 * always make forward progress. We add the address of each block
378 * we read to a hash table so pointers will only reference the start
382 struct ntreg_hbin_page *page;
383 for (off = 0x1000; off < h->size; off += le32toh (page->page_size)) {
384 if (off >= h->endpages)
387 page = (struct ntreg_hbin_page *) (h->addr + off);
388 if (page->magic[0] != 'h' ||
389 page->magic[1] != 'b' ||
390 page->magic[2] != 'i' ||
391 page->magic[3] != 'n') {
392 fprintf (stderr, "hivex: %s: trailing garbage at end of file (at 0x%zx, after %zu pages)\n",
393 filename, off, pages);
398 size_t page_size = le32toh (page->page_size);
400 fprintf (stderr, "hivex_open: page at 0x%zx, size %zu\n", off, page_size);
402 if (page_size < smallest_page) smallest_page = page_size;
403 if (page_size > largest_page) largest_page = page_size;
405 if (page_size <= sizeof (struct ntreg_hbin_page) ||
406 (page_size & 0x0fff) != 0) {
407 fprintf (stderr, "hivex: %s: page size %zu at 0x%zx, bad registry\n",
408 filename, page_size, off);
413 /* Read the blocks in this page. */
415 struct ntreg_hbin_block *block;
417 for (blkoff = off + 0x20;
418 blkoff < off + page_size;
422 int is_root = blkoff == h->rootoffs;
426 block = (struct ntreg_hbin_block *) (h->addr + blkoff);
428 seg_len = block_len (h, blkoff, &used);
429 if (seg_len <= 4 || (seg_len & 3) != 0) {
430 fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx, bad registry\n",
431 filename, le32toh (block->seg_len), blkoff);
437 fprintf (stderr, "hivex_open: %s block id %d,%d at 0x%zx size %zu%s\n",
438 used ? "used" : "free", block->id[0], block->id[1], blkoff,
439 seg_len, is_root ? " (root)" : "");
441 blocks_bytes += seg_len;
442 if (seg_len < smallest_block) smallest_block = seg_len;
443 if (seg_len > largest_block) largest_block = seg_len;
445 if (is_root && !used)
450 used_size += seg_len;
452 /* Root block must be an nk-block. */
453 if (is_root && (block->id[0] != 'n' || block->id[1] != 'k'))
456 /* Note this blkoff is a valid address. */
457 BITMAP_SET (h->bitmap, blkoff);
462 if (!seen_root_block) {
463 fprintf (stderr, "hivex: %s: no root block found\n", filename);
468 if (bad_root_block) {
469 fprintf (stderr, "hivex: %s: bad root block (free or not nk)\n", filename);
476 "hivex_open: successfully read Windows Registry hive file:\n"
477 " pages: %zu [sml: %zu, lge: %zu]\n"
478 " blocks: %zu [sml: %zu, avg: %zu, lge: %zu]\n"
479 " blocks used: %zu\n"
480 " bytes used: %zu\n",
481 pages, smallest_page, largest_page,
482 blocks, smallest_block, blocks_bytes / blocks, largest_block,
483 used_blocks, used_size);
491 if (h->addr && h->size && h->addr != MAP_FAILED) {
493 munmap (h->addr, h->size);
507 hivex_close (hive_h *h)
513 munmap (h->addr, h->size);
524 hivex_root (hive_h *h)
526 hive_node_h ret = h->rootoffs;
527 if (!IS_VALID_BLOCK (h, ret)) {
535 hivex_node_name (hive_h *h, hive_node_h node)
537 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
542 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
544 /* AFAIK the node name is always plain ASCII, so no conversion
545 * to UTF-8 is necessary. However we do need to nul-terminate
549 /* nk->name_len is unsigned, 16 bit, so this is safe ... However
550 * we have to make sure the length doesn't exceed the block length.
552 size_t len = le16toh (nk->name_len);
553 size_t seg_len = block_len (h, node, NULL);
554 if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) {
556 fprintf (stderr, "hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n",
562 char *ret = malloc (len + 1);
565 memcpy (ret, nk->name, len);
571 /* I think the documentation for the sk and classname fields in the nk
572 * record is wrong, or else the offset field is in the wrong place.
573 * Otherwise this makes no sense. Disabled this for now -- it's not
574 * useful for reading the registry anyway.
578 hivex_node_security (hive_h *h, hive_node_h node)
580 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
585 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
587 hive_node_h ret = le32toh (nk->sk);
589 if (!IS_VALID_BLOCK (h, ret)) {
597 hivex_node_classname (hive_h *h, hive_node_h node)
599 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
604 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
606 hive_node_h ret = le32toh (nk->classname);
608 if (!IS_VALID_BLOCK (h, ret)) {
616 /* Structure for returning 0-terminated lists of offsets (nodes,
626 init_offset_list (struct offset_list *list)
630 list->offsets = NULL;
633 #define INIT_OFFSET_LIST(name) \
634 struct offset_list name; \
635 init_offset_list (&name)
637 /* Preallocates the offset_list, but doesn't make the contents longer. */
639 grow_offset_list (struct offset_list *list, size_t alloc)
641 assert (alloc >= list->len);
642 size_t *p = realloc (list->offsets, alloc * sizeof (size_t));
651 add_to_offset_list (struct offset_list *list, size_t offset)
653 if (list->len >= list->alloc) {
654 if (grow_offset_list (list, list->alloc ? list->alloc * 2 : 4) == -1)
657 list->offsets[list->len] = offset;
663 free_offset_list (struct offset_list *list)
665 free (list->offsets);
669 return_offset_list (struct offset_list *list)
671 if (add_to_offset_list (list, 0) == -1)
673 return list->offsets; /* caller frees */
676 /* Iterate over children, returning child nodes and intermediate blocks. */
678 get_children (hive_h *h, hive_node_h node,
679 hive_node_h **children_ret, size_t **blocks_ret)
681 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
686 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
688 size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
690 INIT_OFFSET_LIST (children);
691 INIT_OFFSET_LIST (blocks);
693 /* Deal with the common "no subkeys" case quickly. */
694 if (nr_subkeys_in_nk == 0)
697 /* Arbitrarily limit the number of subkeys we will ever deal with. */
698 if (nr_subkeys_in_nk > 1000000) {
703 /* Preallocate space for the children. */
704 if (grow_offset_list (&children, nr_subkeys_in_nk) == -1)
707 /* The subkey_lf field can point either to an lf-record, which is
708 * the common case, or if there are lots of subkeys, to an
711 size_t subkey_lf = le32toh (nk->subkey_lf);
713 if (!IS_VALID_BLOCK (h, subkey_lf)) {
715 fprintf (stderr, "hivex_node_children: returning EFAULT because subkey_lf is not a valid block (%zu)\n",
721 if (add_to_offset_list (&blocks, subkey_lf) == -1)
724 struct ntreg_hbin_block *block =
725 (struct ntreg_hbin_block *) (h->addr + subkey_lf);
727 /* Points to lf-record? (Note, also "lh" but that is basically the
728 * same as "lf" as far as we are concerned here).
730 if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
731 struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
733 /* Check number of subkeys in the nk-record matches number of subkeys
736 size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
739 fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu, nr_subkeys_in_lf = %zu\n",
740 nr_subkeys_in_nk, nr_subkeys_in_lf);
742 if (nr_subkeys_in_nk != nr_subkeys_in_lf) {
747 size_t len = block_len (h, subkey_lf, NULL);
748 if (8 + nr_subkeys_in_lf * 8 > len) {
750 fprintf (stderr, "hivex_node_children: returning EFAULT because too many subkeys (%zu, %zu)\n",
751 nr_subkeys_in_lf, len);
757 for (i = 0; i < nr_subkeys_in_lf; ++i) {
758 hive_node_h subkey = le32toh (lf->keys[i].offset);
760 if (!IS_VALID_BLOCK (h, subkey)) {
762 fprintf (stderr, "hivex_node_children: returning EFAULT because subkey is not a valid block (0x%zx)\n",
767 if (add_to_offset_list (&children, subkey) == -1)
772 /* Points to ri-record? */
773 else if (block->id[0] == 'r' && block->id[1] == 'i') {
774 struct ntreg_ri_record *ri = (struct ntreg_ri_record *) block;
776 size_t nr_offsets = le16toh (ri->nr_offsets);
778 /* Count total number of children. */
780 for (i = 0; i < nr_offsets; ++i) {
781 hive_node_h offset = ri->offset[i];
783 if (!IS_VALID_BLOCK (h, offset)) {
785 fprintf (stderr, "hivex_node_children: returning EFAULT because ri-offset is not a valid block (0x%zx)\n",
790 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
795 if (add_to_offset_list (&blocks, offset) == -1)
798 struct ntreg_lf_record *lf =
799 (struct ntreg_lf_record *) (h->addr + offset);
801 count += le16toh (lf->nr_keys);
805 fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu, counted = %zu\n",
806 nr_subkeys_in_nk, count);
808 if (nr_subkeys_in_nk != count) {
813 /* Copy list of children. Note nr_subkeys_in_nk is limited to
814 * something reasonable above.
816 for (i = 0; i < nr_offsets; ++i) {
817 hive_node_h offset = ri->offset[i];
819 if (!IS_VALID_BLOCK (h, offset)) {
821 fprintf (stderr, "hivex_node_children: returning EFAULT because ri-offset is not a valid block (0x%zx)\n",
826 if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
831 struct ntreg_lf_record *lf =
832 (struct ntreg_lf_record *) (h->addr + offset);
835 for (j = 0; j < le16toh (lf->nr_keys); ++j) {
836 hive_node_h subkey = le32toh (lf->keys[j].offset);
838 if (!IS_VALID_BLOCK (h, subkey)) {
840 fprintf (stderr, "hivex_node_children: returning EFAULT because indirect subkey is not a valid block (0x%zx)\n",
845 if (add_to_offset_list (&children, subkey) == -1)
851 /* else not supported, set errno and fall through */
854 free_offset_list (&children);
855 free_offset_list (&blocks);
859 *children_ret = return_offset_list (&children);
860 *blocks_ret = return_offset_list (&blocks);
861 if (!*children_ret || !*blocks_ret)
867 hivex_node_children (hive_h *h, hive_node_h node)
869 hive_node_h *children;
872 if (get_children (h, node, &children, &blocks) == -1)
879 /* Very inefficient, but at least having a separate API call
880 * allows us to make it more efficient in future.
883 hivex_node_get_child (hive_h *h, hive_node_h node, const char *nname)
885 hive_node_h *children = NULL;
889 children = hivex_node_children (h, node);
890 if (!children) goto error;
893 for (i = 0; children[i] != 0; ++i) {
894 name = hivex_node_name (h, children[i]);
895 if (!name) goto error;
896 if (STRCASEEQ (name, nname)) {
900 free (name); name = NULL;
910 hivex_node_parent (hive_h *h, hive_node_h node)
912 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
917 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
919 hive_node_h ret = le32toh (nk->parent);
921 if (!IS_VALID_BLOCK (h, ret)) {
923 fprintf (stderr, "hivex_node_parent: returning EFAULT because parent is not a valid block (0x%zx)\n",
932 get_values (hive_h *h, hive_node_h node,
933 hive_value_h **values_ret, size_t **blocks_ret)
935 if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
940 struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
942 size_t nr_values = le32toh (nk->nr_values);
945 fprintf (stderr, "hivex_node_values: nr_values = %zu\n", nr_values);
947 INIT_OFFSET_LIST (values);
948 INIT_OFFSET_LIST (blocks);
950 /* Deal with the common "no values" case quickly. */
954 /* Arbitrarily limit the number of values we will ever deal with. */
955 if (nr_values > 100000) {
960 /* Preallocate space for the values. */
961 if (grow_offset_list (&values, nr_values) == -1)
964 /* Get the value list and check it looks reasonable. */
965 size_t vlist_offset = le32toh (nk->vallist);
966 vlist_offset += 0x1000;
967 if (!IS_VALID_BLOCK (h, vlist_offset)) {
969 fprintf (stderr, "hivex_node_values: returning EFAULT because value list is not a valid block (0x%zx)\n",
975 if (add_to_offset_list (&blocks, vlist_offset) == -1)
978 struct ntreg_value_list *vlist =
979 (struct ntreg_value_list *) (h->addr + vlist_offset);
981 size_t len = block_len (h, vlist_offset, NULL);
982 if (4 + nr_values * 4 > len) {
984 fprintf (stderr, "hivex_node_values: returning EFAULT because value list is too long (%zu, %zu)\n",
991 for (i = 0; i < nr_values; ++i) {
992 hive_node_h value = vlist->offset[i];
994 if (!IS_VALID_BLOCK (h, value)) {
996 fprintf (stderr, "hivex_node_values: returning EFAULT because value is not a valid block (0x%zx)\n",
1001 if (add_to_offset_list (&values, value) == -1)
1006 *values_ret = return_offset_list (&values);
1007 *blocks_ret = return_offset_list (&blocks);
1008 if (!*values_ret || !*blocks_ret)
1013 free_offset_list (&values);
1014 free_offset_list (&blocks);
1019 hivex_node_values (hive_h *h, hive_node_h node)
1021 hive_value_h *values;
1024 if (get_values (h, node, &values, &blocks) == -1)
1031 /* Very inefficient, but at least having a separate API call
1032 * allows us to make it more efficient in future.
1035 hivex_node_get_value (hive_h *h, hive_node_h node, const char *key)
1037 hive_value_h *values = NULL;
1039 hive_value_h ret = 0;
1041 values = hivex_node_values (h, node);
1042 if (!values) goto error;
1045 for (i = 0; values[i] != 0; ++i) {
1046 name = hivex_value_key (h, values[i]);
1047 if (!name) goto error;
1048 if (STRCASEEQ (name, key)) {
1052 free (name); name = NULL;
1062 hivex_value_key (hive_h *h, hive_value_h value)
1064 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1069 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1071 /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is
1072 * necessary. However we do need to nul-terminate the string.
1075 /* vk->name_len is unsigned, 16 bit, so this is safe ... However
1076 * we have to make sure the length doesn't exceed the block length.
1078 size_t len = le16toh (vk->name_len);
1079 size_t seg_len = block_len (h, value, NULL);
1080 if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
1082 fprintf (stderr, "hivex_value_key: returning EFAULT because key length is too long (%zu, %zu)\n",
1088 char *ret = malloc (len + 1);
1091 memcpy (ret, vk->name, len);
1097 hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len)
1099 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1104 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1107 *t = le32toh (vk->data_type);
1110 *len = le32toh (vk->data_len);
1111 if (*len == 0x80000000) { /* special case */
1113 if (t) *t = hive_t_dword;
1122 hivex_value_value (hive_h *h, hive_value_h value,
1123 hive_type *t_rtn, size_t *len_rtn)
1125 if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
1130 struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
1135 t = le32toh (vk->data_type);
1137 len = le32toh (vk->data_len);
1138 if (len == 0x80000000) { /* special case */
1145 fprintf (stderr, "hivex_value_value: value=0x%zx, t=%d, len=%zu\n",
1153 /* Arbitrarily limit the length that we will read. */
1154 if (len > 1000000) {
1159 char *ret = malloc (len);
1163 /* If length is <= 4 it's always stored inline. */
1165 memcpy (ret, (char *) &vk->data_offset, len);
1169 size_t data_offset = le32toh (vk->data_offset);
1170 data_offset += 0x1000;
1171 if (!IS_VALID_BLOCK (h, data_offset)) {
1173 fprintf (stderr, "hivex_value_value: returning EFAULT because data offset is not a valid block (0x%zx)\n",
1180 /* Check that the declared size isn't larger than the block its in. */
1181 size_t blen = block_len (h, data_offset, NULL);
1182 if (len > blen - 4 /* subtract 4 for block header */) {
1184 fprintf (stderr, "hivex_value_value: returning EFAULT because data is longer than its block (data 0x%zx, data len %zu, block len %zu)\n",
1185 data_offset, len, blen);
1191 char *data = h->addr + data_offset + 4;
1192 memcpy (ret, data, len);
1197 windows_utf16_to_utf8 (/* const */ char *input, size_t len)
1199 iconv_t ic = iconv_open ("UTF-8", "UTF-16");
1200 if (ic == (iconv_t) -1)
1203 /* iconv(3) has an insane interface ... */
1205 /* Mostly UTF-8 will be smaller, so this is a good initial guess. */
1206 size_t outalloc = len;
1210 size_t outlen = outalloc;
1211 char *out = malloc (outlen + 1);
1221 size_t r = iconv (ic, &inp, &inlen, &outp, &outlen);
1222 if (r == (size_t) -1) {
1223 if (errno == E2BIG) {
1224 size_t prev = outalloc;
1225 /* Try again with a larger output buffer. */
1228 if (outalloc < prev)
1233 /* Else some conversion failure, eg. EILSEQ, EINVAL. */
1249 hivex_value_string (hive_h *h, hive_value_h value)
1253 char *data = hivex_value_value (h, value, &t, &len);
1258 if (t != hive_t_string && t != hive_t_expand_string && t != hive_t_link) {
1264 char *ret = windows_utf16_to_utf8 (data, len);
1273 free_strings (char **argv)
1278 for (i = 0; argv[i] != NULL; ++i)
1284 /* Get the length of a UTF-16 format string. Handle the string as
1285 * pairs of bytes, looking for the first \0\0 pair.
1288 utf16_string_len_in_bytes (const char *str)
1292 while (str[0] || str[1]) {
1300 /* http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
1302 hivex_value_multiple_strings (hive_h *h, hive_value_h value)
1306 char *data = hivex_value_value (h, value, &t, &len);
1311 if (t != hive_t_multiple_strings) {
1317 size_t nr_strings = 0;
1318 char **ret = malloc ((1 + nr_strings) * sizeof (char *));
1328 while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) {
1330 char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
1338 ret[nr_strings-1] = windows_utf16_to_utf8 (p, plen);
1339 ret[nr_strings] = NULL;
1340 if (ret[nr_strings-1] == NULL) {
1346 p += plen + 2 /* skip over UTF-16 \0\0 at the end of this string */;
1354 hivex_value_dword (hive_h *h, hive_value_h value)
1358 char *data = hivex_value_value (h, value, &t, &len);
1363 if ((t != hive_t_dword && t != hive_t_dword_be) || len != 4) {
1369 int32_t ret = *(int32_t*)data;
1371 if (t == hive_t_dword) /* little endian */
1372 ret = le32toh (ret);
1374 ret = be32toh (ret);
1380 hivex_value_qword (hive_h *h, hive_value_h value)
1384 char *data = hivex_value_value (h, value, &t, &len);
1389 if (t != hive_t_qword || len != 8) {
1395 int64_t ret = *(int64_t*)data;
1397 ret = le64toh (ret); /* always little endian */
1403 hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len,
1404 void *opaque, int flags)
1406 return hivex_visit_node (h, hivex_root (h), visitor, len, opaque, flags);
1409 static int hivex__visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *vtor, char *unvisited, void *opaque, int flags);
1412 hivex_visit_node (hive_h *h, hive_node_h node,
1413 const struct hivex_visitor *visitor, size_t len, void *opaque,
1416 struct hivex_visitor vtor;
1417 memset (&vtor, 0, sizeof vtor);
1419 /* Note that len might be larger *or smaller* than the expected size. */
1420 size_t copysize = len <= sizeof vtor ? len : sizeof vtor;
1421 memcpy (&vtor, visitor, copysize);
1423 /* This bitmap records unvisited nodes, so we don't loop if the
1424 * registry contains cycles.
1426 char *unvisited = malloc (1 + h->size / 32);
1427 if (unvisited == NULL)
1429 memcpy (unvisited, h->bitmap, 1 + h->size / 32);
1431 int r = hivex__visit_node (h, node, &vtor, unvisited, opaque, flags);
1437 hivex__visit_node (hive_h *h, hive_node_h node,
1438 const struct hivex_visitor *vtor, char *unvisited,
1439 void *opaque, int flags)
1441 int skip_bad = flags & HIVEX_VISIT_SKIP_BAD;
1443 hive_value_h *values = NULL;
1444 hive_node_h *children = NULL;
1450 /* Return -1 on all callback errors. However on internal errors,
1451 * check if skip_bad is set and suppress those errors if so.
1455 if (!BITMAP_TST (unvisited, node)) {
1457 fprintf (stderr, "hivex__visit_node: contains cycle: visited node 0x%zx already\n",
1461 return skip_bad ? 0 : -1;
1463 BITMAP_CLR (unvisited, node);
1465 name = hivex_node_name (h, node);
1466 if (!name) return skip_bad ? 0 : -1;
1467 if (vtor->node_start && vtor->node_start (h, opaque, node, name) == -1)
1470 values = hivex_node_values (h, node);
1472 ret = skip_bad ? 0 : -1;
1476 for (i = 0; values[i] != 0; ++i) {
1480 if (hivex_value_type (h, values[i], &t, &len) == -1) {
1481 ret = skip_bad ? 0 : -1;
1485 key = hivex_value_key (h, values[i]);
1487 ret = skip_bad ? 0 : -1;
1491 if (vtor->value_any) {
1492 str = hivex_value_value (h, values[i], &t, &len);
1494 ret = skip_bad ? 0 : -1;
1497 if (vtor->value_any (h, opaque, node, values[i], t, len, key, str) == -1)
1499 free (str); str = NULL;
1504 str = hivex_value_value (h, values[i], &t, &len);
1506 ret = skip_bad ? 0 : -1;
1509 if (t != hive_t_none) {
1510 ret = skip_bad ? 0 : -1;
1513 if (vtor->value_none &&
1514 vtor->value_none (h, opaque, node, values[i], t, len, key, str) == -1)
1516 free (str); str = NULL;
1520 case hive_t_expand_string:
1522 str = hivex_value_string (h, values[i]);
1524 if (errno != EILSEQ && errno != EINVAL) {
1525 ret = skip_bad ? 0 : -1;
1528 if (vtor->value_string_invalid_utf16) {
1529 str = hivex_value_value (h, values[i], &t, &len);
1530 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
1532 free (str); str = NULL;
1536 if (vtor->value_string &&
1537 vtor->value_string (h, opaque, node, values[i], t, len, key, str) == -1)
1539 free (str); str = NULL;
1543 case hive_t_dword_be: {
1544 int32_t i32 = hivex_value_dword (h, values[i]);
1545 if (vtor->value_dword &&
1546 vtor->value_dword (h, opaque, node, values[i], t, len, key, i32) == -1)
1551 case hive_t_qword: {
1552 int64_t i64 = hivex_value_qword (h, values[i]);
1553 if (vtor->value_qword &&
1554 vtor->value_qword (h, opaque, node, values[i], t, len, key, i64) == -1)
1560 str = hivex_value_value (h, values[i], &t, &len);
1562 ret = skip_bad ? 0 : -1;
1565 if (t != hive_t_binary) {
1566 ret = skip_bad ? 0 : -1;
1569 if (vtor->value_binary &&
1570 vtor->value_binary (h, opaque, node, values[i], t, len, key, str) == -1)
1572 free (str); str = NULL;
1575 case hive_t_multiple_strings:
1576 strs = hivex_value_multiple_strings (h, values[i]);
1578 if (errno != EILSEQ && errno != EINVAL) {
1579 ret = skip_bad ? 0 : -1;
1582 if (vtor->value_string_invalid_utf16) {
1583 str = hivex_value_value (h, values[i], &t, &len);
1584 if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
1586 free (str); str = NULL;
1590 if (vtor->value_multiple_strings &&
1591 vtor->value_multiple_strings (h, opaque, node, values[i], t, len, key, strs) == -1)
1593 free_strings (strs); strs = NULL;
1596 case hive_t_resource_list:
1597 case hive_t_full_resource_description:
1598 case hive_t_resource_requirements_list:
1600 str = hivex_value_value (h, values[i], &t, &len);
1602 ret = skip_bad ? 0 : -1;
1605 if (vtor->value_other &&
1606 vtor->value_other (h, opaque, node, values[i], t, len, key, str) == -1)
1608 free (str); str = NULL;
1613 free (key); key = NULL;
1616 children = hivex_node_children (h, node);
1617 if (children == NULL) {
1618 ret = skip_bad ? 0 : -1;
1622 for (i = 0; children[i] != 0; ++i) {
1624 fprintf (stderr, "hivex__visit_node: %s: visiting subkey %d (0x%zx)\n",
1625 name, i, children[i]);
1627 if (hivex__visit_node (h, children[i], vtor, unvisited, opaque, flags) == -1)
1631 if (vtor->node_end && vtor->node_end (h, opaque, node, name) == -1)
1642 free_strings (strs);
git.annexia.org / libguestfs.git / blob