/* hivexget - Get single subkeys or values from a hive. * Copyright (C) 2009 Red Hat Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include #include #include #include #include #include #include #include "hivex.h" #ifdef HAVE_GETTEXT #include "gettext.h" #define _(str) dgettext(PACKAGE, (str)) //#define N_(str) dgettext(PACKAGE, (str)) #else #define _(str) str //#define N_(str) str #endif enum { EXIT_NOT_FOUND = 2 }; int main (int argc, char *argv[]) { setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEBASEDIR); textdomain (PACKAGE); if (argc < 3 || argc > 4) { fprintf (stderr, _("hivexget regfile path [key]\n")); exit (EXIT_FAILURE); } char *file = argv[1]; char *path = argv[2]; char *key = argv[3]; /* could be NULL */ if (path[0] != '\\') { fprintf (stderr, _("hivexget: path must start with a \\ character\n")); exit (EXIT_FAILURE); } if (path[1] == '\\') { doubled: fprintf (stderr, _("%s: %s: \\ characters in path are doubled - are you escaping the path parameter correctly?\n"), "hivexget", path); exit (EXIT_FAILURE); } hive_h *h = hivex_open (file, 0); if (h == NULL) { error: perror (file); exit (EXIT_FAILURE); } /* Navigate to the desired node. */ hive_node_h node = hivex_root (h); if (!node) goto error; char *p = path+1, *pnext; size_t len; while (*p) { len = strcspn (p, "\\"); if (len == 0) goto doubled; if (p[len] == '\\') { p[len] = '\0'; pnext = p + len + 1; } else pnext = p + len; errno = 0; node = hivex_node_get_child (h, node, p); if (node == 0) { if (errno) goto error; /* else node not found */ fprintf (stderr, _("hivexget: %s: %s: path element not found\n"), path, p); exit (EXIT_NOT_FOUND); } p = pnext; } /* Get the desired key, or print all keys. */ if (key) { hive_value_h value; errno = 0; if (key[0] == '@' && key[1] == '\0') /* default key written as "@" */ value = hivex_node_get_value (h, node, ""); else value = hivex_node_get_value (h, node, key); if (value == 0) { if (errno) goto error; /* else key not found */ fprintf (stderr, _("%s: %s: key not found\n"), "hivexget", key); exit (EXIT_NOT_FOUND); } /* Print the value. */ hive_type t; size_t len; if (hivex_value_type (h, value, &t, &len) == -1) goto error; switch (t) { case hive_t_string: case hive_t_expand_string: case hive_t_link: { char *str = hivex_value_string (h, value); if (!str) goto error; puts (str); /* note: this adds a single \n character */ free (str); break; } case hive_t_dword: case hive_t_dword_be: { int32_t j = hivex_value_dword (h, value); printf ("%" PRIi32 "\n", j); break; } case hive_t_qword: { int64_t j = hivex_value_qword (h, value); printf ("%" PRIi64 "\n", j); break; } case hive_t_multiple_strings: { char **strs = hivex_value_multiple_strings (h, value); if (!strs) goto error; size_t j; for (j = 0; strs[j] != NULL; ++j) { puts (strs[j]); free (strs[j]); } free (strs); break; } case hive_t_none: case hive_t_binary: case hive_t_resource_list: case hive_t_full_resource_description: case hive_t_resource_requirements_list: default: { char *data = hivex_value_value (h, value, &t, &len); if (!data) goto error; if (fwrite (data, 1, len, stdout) != len) goto error; free (data); break; } } /* switch */ } else { /* No key specified, so print all keys in this node. We do this * in a format which looks like the output of regedit, although * this isn't a particularly useful format. */ hive_value_h *values; values = hivex_node_values (h, node); if (values == NULL) goto error; size_t i; for (i = 0; values[i] != 0; ++i) { char *key = hivex_value_key (h, values[i]); if (!key) goto error; if (*key) { putchar ('"'); size_t j; for (j = 0; key[j] != 0; ++j) { if (key[j] == '"' || key[j] == '\\') putchar ('\\'); putchar (key[j]); } putchar ('"'); } else printf ("\"@\""); /* default key in regedit files */ putchar ('='); free (key); hive_type t; size_t len; if (hivex_value_type (h, values[i], &t, &len) == -1) goto error; switch (t) { case hive_t_string: case hive_t_expand_string: case hive_t_link: { char *str = hivex_value_string (h, values[i]); if (!str) goto error; if (t != hive_t_string) printf ("str(%d):", t); putchar ('"'); size_t j; for (j = 0; str[j] != 0; ++j) { if (str[j] == '"' || str[j] == '\\') putchar ('\\'); putchar (str[j]); } putchar ('"'); free (str); break; } case hive_t_dword: case hive_t_dword_be: { int32_t j = hivex_value_dword (h, values[i]); printf ("dword:%08" PRIx32 "\"", j); break; } case hive_t_qword: /* sic */ case hive_t_none: case hive_t_binary: case hive_t_multiple_strings: case hive_t_resource_list: case hive_t_full_resource_description: case hive_t_resource_requirements_list: default: { char *data = hivex_value_value (h, values[i], &t, &len); if (!data) goto error; printf ("hex(%d):", t); size_t j; for (j = 0; j < len; ++j) { if (j > 0) putchar (','); printf ("%02x", data[j]); } break; } } /* switch */ putchar ('\n'); } /* for */ free (values); } if (hivex_close (h) == -1) goto error; exit (EXIT_SUCCESS); }