|
regfi
|
regfi.h
Go to the documentation of this file.
00001 /* 00002 * Copyright (C) 2005-2011 Timothy D. Morgan 00003 * Copyright (C) 2010 Michael Cohen 00004 * Copyright (C) 2005 Gerald (Jerry) Carter 00005 * 00006 * This program is free software; you can redistribute it and/or modify 00007 * it under the terms of the GNU General Public License as published by 00008 * the Free Software Foundation; version 3 of the License. 00009 * 00010 * This program is distributed in the hope that it will be useful, 00011 * but WITHOUT ANY WARRANTY; without even the implied warranty of 00012 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 00013 * GNU General Public License for more details. 00014 * 00015 * You should have received a copy of the GNU General Public License 00016 * along with this program; if not, write to the Free Software 00017 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 00018 * 00019 * $Id: regfi.h 263 2011-06-18 00:06:51Z tim $ 00020 */ 00021 00058 #ifndef _REGFI_H 00059 #define _REGFI_H 00060 00061 #include <stdlib.h> 00062 #include <stdio.h> 00063 #include <stdbool.h> 00064 #include <string.h> 00065 #include <errno.h> 00066 #include <time.h> 00067 #include <fcntl.h> 00068 #include <sys/stat.h> 00069 #include <sys/types.h> 00070 #include <unistd.h> 00071 #include <iconv.h> 00072 #include <pthread.h> 00073 #include <talloc.h> 00074 00075 /* regfi headers */ 00076 #include "compat.h" 00077 #include "byteorder.h" 00078 #include "winsec.h" 00079 #include "void_stack.h" 00080 #include "range_list.h" 00081 #include "lru_cache.h" 00082 00083 /******************************************************************************/ 00084 /* Constants for use while interacting with the library */ 00085 /******************************************************************************/ 00086 00087 /* regfi library error message types */ 00088 #define REGFI_LOG_INFO 0x0001 00089 #define REGFI_LOG_WARN 0x0004 00090 #define REGFI_LOG_ERROR 0x0010 00091 #define REGFI_DEFAULT_LOG_MASK REGFI_LOG_ERROR|REGFI_LOG_WARN 00092 00093 /* regfi library supported character encodings */ 00094 /* UTF16LE is not supported for output */ 00095 typedef enum { 00096 REGFI_ENCODING_DEFAULT = 0, 00097 REGFI_ENCODING_ASCII = 0, 00098 REGFI_ENCODING_UTF8 = 1, 00099 REGFI_ENCODING_UTF16LE = 2, 00100 REGFI_NUM_ENCODINGS = 3 00101 } REGFI_ENCODING; 00102 00103 /* Registry data types */ 00104 typedef enum { 00105 REG_NONE = 0, 00106 REG_SZ = 1, 00107 REG_EXPAND_SZ = 2, 00108 REG_BINARY = 3, 00109 REG_DWORD = 4, 00110 REG_DWORD_LE = 4 , /* DWORD, little endian */ 00111 REG_DWORD_BE = 5 , /* DWORD, big endian */ 00112 REG_LINK = 6, 00113 REG_MULTI_SZ = 7, 00114 REG_RESOURCE_LIST = 8, 00115 REG_FULL_RESOURCE_DESCRIPTOR= 9, 00116 REG_RESOURCE_REQUIREMENTS_LIST= 10, 00117 REG_QWORD = 11, /* 64-bit little endian */ 00118 /* XXX: Has MS defined a REG_QWORD_BE? */ 00119 /* Not a real type in the registry */ 00120 REG_KEY = 0x7FFFFFFF 00121 } REGFI_DATA_TYPE; 00122 #define REGFI_OFFSET_NONE 0xffffffff 00123 00124 00125 00126 /******************************************************************************/ 00127 /* Various resource limits and related constants */ 00128 /******************************************************************************/ 00129 00130 /* Flags determining how many records to cache internally */ 00131 #define REGFI_CACHE_SK_MAX 64 00132 #define REGFI_CACHE_NK_MAX 1024 00133 00134 /* This maximum depth is described here: 00135 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx 00136 */ 00137 #define REGFI_MAX_DEPTH 512 00138 00139 /* This limit defines the maximum number of levels deep that ri subkey list 00140 * trees can go. 00141 */ 00142 /* XXX: This is totally arbitrary right now. 00143 * The actual limit may need to be discovered by experimentation. 00144 */ 00145 #define REGFI_MAX_SUBKEY_DEPTH 255 00146 00147 00148 /******************************************************************************/ 00149 /* Symbols for internal use */ 00150 /******************************************************************************/ 00151 00152 /* Global thread-local storage key */ 00153 pthread_key_t regfi_log_key; 00154 00155 /* Header sizes and magic number lengths for various records */ 00156 #define REGFI_HBIN_ALLOC 0x1000 /* Minimum allocation unit for HBINs */ 00157 #define REGFI_REGF_SIZE 0x1000 /* "regf" header block size */ 00158 #define REGFI_REGF_MAGIC_SIZE 4 00159 #define REGFI_REGF_NAME_SIZE 64 00160 #define REGFI_REGF_RESERVED1_SIZE 340 00161 #define REGFI_REGF_RESERVED2_SIZE 3528 00162 #define REGFI_HBIN_MAGIC_SIZE 4 00163 #define REGFI_CELL_MAGIC_SIZE 2 00164 #define REGFI_HBIN_HEADER_SIZE 0x20 00165 #define REGFI_NK_MIN_LENGTH 0x4C 00166 #define REGFI_VK_MIN_LENGTH 0x14 00167 #define REGFI_SK_MIN_LENGTH 0x14 00168 #define REGFI_SUBKEY_LIST_MIN_LEN 0x4 00169 #define REGFI_BIG_DATA_MIN_LENGTH 0xC 00170 00171 00172 /* Constants used for validation */ 00173 /* XXX: Can we add clock resolution validation as well as range? It has 00174 * been reported that Windows timestamps are never more than a 00175 * certain granularity (250ms?), which could be used to help 00176 * eliminate false positives. Would need to verify this and 00177 * perhaps conservatively implement a check. 00178 */ 00179 /* Minimum time is Jan 1, 1990 00:00:00 */ 00180 #define REGFI_MTIME_MIN 0x01B41E6D00000000L 00181 00182 /* Maximum time is Jan 1, 2290 00:00:00 00183 * (We hope no one is using Windows by then...) 00184 */ 00185 #define REGFI_MTIME_MAX 0x0304754300000000L 00186 00187 00188 /* Flags for the vk records */ 00189 #define REGFI_VK_FLAG_ASCIINAME 0x0001 00190 #define REGFI_VK_DATA_IN_OFFSET 0x80000000 00191 #define REGFI_VK_MAX_DATA_LENGTH 1024*1024 /* XXX: This is arbitrary */ 00192 00193 00194 /* Known key flags */ 00195 /*******************/ 00196 /* These next two show up on normal-seeming keys in Vista and W2K3 registries */ 00197 #define REGFI_NK_FLAG_UNKNOWN1 0x4000 00198 #define REGFI_NK_FLAG_UNKNOWN2 0x1000 00199 00200 /* This next one shows up in some Vista "software" registries */ 00201 /* XXX: This shows up in the following two SOFTWARE keys in Vista: 00202 * /Wow6432Node/Microsoft 00203 * /Wow6432Node/Microsoft/Cryptography 00204 * 00205 * It comes along with UNKNOWN2 and ASCIINAME for a total flags value of 0x10A0 00206 */ 00207 #define REGFI_NK_FLAG_UNKNOWN3 0x0080 00208 00209 /* Predefined handle. Rumor has it that the valuelist count for this key is 00210 * where the handle is stored. 00211 * http://msdn.microsoft.com/en-us/library/ms724836(VS.85).aspx 00212 */ 00213 #define REGFI_NK_FLAG_PREDEF_KEY 0x0040 00214 00215 /* The name will be in ASCII if this next bit is set, otherwise UTF-16LE */ 00216 #define REGFI_NK_FLAG_ASCIINAME 0x0020 00217 00218 /* Symlink key. 00219 * See: http://www.codeproject.com/KB/system/regsymlink.aspx 00220 */ 00221 #define REGFI_NK_FLAG_LINK 0x0010 00222 00223 /* This key cannot be deleted */ 00224 #define REGFI_NK_FLAG_NO_RM 0x0008 00225 00226 /* Root of a hive */ 00227 #define REGFI_NK_FLAG_ROOT 0x0004 00228 00229 /* Mount point of another hive. NULL/(default) value indicates which hive 00230 * and where in the hive it points to. 00231 */ 00232 #define REGFI_NK_FLAG_HIVE_LINK 0x0002 00233 00234 /* These keys shouldn't be stored on disk, according to: 00235 * http://geekswithblogs.net/sdorman/archive/2007/12/24/volatile-registry-keys.aspx 00236 */ 00237 #define REGFI_NK_FLAG_VOLATILE 0x0001 00238 00239 /* Useful for identifying unknown flag types */ 00240 #define REGFI_NK_KNOWN_FLAGS (REGFI_NK_FLAG_PREDEF_KEY\ 00241 | REGFI_NK_FLAG_ASCIINAME\ 00242 | REGFI_NK_FLAG_LINK\ 00243 | REGFI_NK_FLAG_NO_RM\ 00244 | REGFI_NK_FLAG_ROOT\ 00245 | REGFI_NK_FLAG_HIVE_LINK\ 00246 | REGFI_NK_FLAG_VOLATILE\ 00247 | REGFI_NK_FLAG_UNKNOWN1\ 00248 | REGFI_NK_FLAG_UNKNOWN2\ 00249 | REGFI_NK_FLAG_UNKNOWN3) 00250 00251 00252 #ifndef CHAR_BIT 00253 #define CHAR_BIT 8 00254 #endif 00255 00256 #define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \ 00257 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1)) 00258 #define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN) 00259 #define REGFI_TIME_FIXUP (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60)) 00260 00261 00262 00263 /******************************************************************************/ 00264 /* Structures */ 00265 /******************************************************************************/ 00266 00267 typedef uint64_t REGFI_NTTIME; 00268 00269 typedef struct _regfi_log 00270 { 00271 /* Error/warning/info messages returned by lower layer functions */ 00272 char* messages; 00273 00274 /* Mask for error message types that will be stored. */ 00275 uint16_t msg_mask; 00276 00277 } REGFI_LOG; 00278 00279 00283 typedef struct _regfi_hbin 00284 { 00286 uint32_t file_off; 00287 00289 uint32_t ref_count; 00290 00292 uint32_t first_hbin_off; 00293 00295 uint32_t block_size; 00296 00301 uint32_t next_block; 00302 00304 uint8_t magic[REGFI_HBIN_MAGIC_SIZE]; 00305 } REGFI_HBIN; 00306 00307 00308 /* Subkey List -- list of key offsets and hashed names for consistency */ 00309 typedef struct 00310 { 00311 /* Virtual offset of NK record or additional subkey list, 00312 * depending on this list's type. 00313 */ 00314 uint32_t offset; 00315 00316 uint32_t hash; 00317 } REGFI_SUBKEY_LIST_ELEM; 00318 00319 00323 typedef struct _regfi_subkey_list 00324 { 00325 /* Real offset of this record's cell in the file */ 00326 uint32_t offset; 00327 00328 uint32_t cell_size; 00329 00330 /* Number of immediate children */ 00331 uint32_t num_children; 00332 00333 /* Total number of keys referenced by this list and its children */ 00334 uint32_t num_keys; 00335 00336 REGFI_SUBKEY_LIST_ELEM* elements; 00337 uint8_t magic[REGFI_CELL_MAGIC_SIZE]; 00338 00339 /* Set if the magic indicates this subkey list points to child subkey lists */ 00340 bool recursive_type; 00341 } REGFI_SUBKEY_LIST; 00342 00343 00344 typedef uint32_t REGFI_VALUE_LIST_ELEM; 00348 typedef struct _regfi_value_list 00349 { 00350 /* Real offset of this record's cell in the file */ 00351 uint32_t offset; 00352 00353 uint32_t cell_size; 00354 00355 /* Actual number of values referenced by this list. 00356 * May differ from parent key's num_values if there were parsing errors. 00357 */ 00358 uint32_t num_values; 00359 00360 REGFI_VALUE_LIST_ELEM* elements; 00361 } REGFI_VALUE_LIST; 00362 00363 00367 typedef struct _regfi_classname 00368 { 00370 uint32_t offset; 00371 00373 char* interpreted; 00374 00379 uint8_t* raw; 00380 00385 uint16_t size; 00386 } REGFI_CLASSNAME; 00387 00388 00392 typedef struct _regfi_data 00393 { 00394 /* XXX: this isn't populated yet. Should set it to start of data cell 00395 * or big data cell. 00396 */ 00397 uint32_t offset; 00398 00400 REGFI_DATA_TYPE type; 00401 00403 uint32_t size; 00404 00406 uint8_t* raw; 00407 00411 uint32_t interpreted_size; 00412 00418 union _regfi_data_interpreted 00419 { 00425 uint8_t* none; 00426 00432 uint8_t* string; 00433 00439 uint8_t* expand_string; 00440 00446 uint8_t* binary; 00447 00449 uint32_t dword; 00450 00452 uint32_t dword_be; 00453 00459 uint8_t* link; 00460 00467 uint8_t** multiple_string; 00468 00470 uint64_t qword; 00471 00472 /* The following are treated as binary currently, but this may change in 00473 * the future as the formats become better understood. 00474 */ 00475 00481 uint8_t* resource_list; 00482 00488 uint8_t* full_resource_descriptor; 00489 00495 uint8_t* resource_requirements_list; 00496 } interpreted; 00497 } REGFI_DATA; 00498 00499 00503 typedef struct _regfi_vk 00504 { 00506 uint32_t offset; 00507 00509 uint32_t cell_size; 00510 00516 char* name; 00517 00522 uint8_t* name_raw; 00523 00525 uint16_t name_length; 00526 00528 uint32_t hbin_off; 00529 00534 uint32_t data_size; 00535 00537 uint32_t data_off; 00538 00540 REGFI_DATA_TYPE type; 00541 00543 uint8_t magic[REGFI_CELL_MAGIC_SIZE]; 00544 00546 uint16_t flags; 00547 00548 /* XXX: A 2-byte field of unknown purpose stored in the VK record */ 00549 uint16_t unknown1; 00550 00555 bool data_in_offset; 00556 00557 /* XXX: deprecated */ 00558 REGFI_DATA* data; 00559 00560 } REGFI_VK; 00561 00562 00563 /* Key Security */ 00564 struct _regfi_sk; 00565 00569 typedef struct _regfi_sk 00570 { 00572 uint32_t offset; 00573 00575 uint32_t cell_size; 00576 00578 WINSEC_DESC* sec_desc; 00579 00581 uint32_t hbin_off; 00582 00584 uint32_t prev_sk_off; 00585 00587 uint32_t next_sk_off; 00588 00590 uint32_t ref_count; 00591 00593 uint32_t desc_size; 00594 00595 /* XXX: A 2-byte field of unknown purpose */ 00596 uint16_t unknown_tag; 00597 00599 uint8_t magic[REGFI_CELL_MAGIC_SIZE]; 00600 } REGFI_SK; 00601 00602 00606 typedef struct _regfi_nk 00607 { 00609 uint32_t offset; 00610 00614 uint32_t cell_size; 00615 00620 REGFI_VALUE_LIST* values; 00621 00622 00627 REGFI_SUBKEY_LIST* subkeys; 00628 00630 uint16_t flags; 00631 00633 uint8_t magic[REGFI_CELL_MAGIC_SIZE]; 00634 00636 REGFI_NTTIME mtime; 00637 00639 uint16_t name_length; 00640 00642 uint16_t classname_length; 00643 00649 char* name; 00650 00655 uint8_t* name_raw; 00656 00658 uint32_t parent_off; 00659 00661 uint32_t classname_off; 00662 00663 /* XXX: max subkey name * 2 */ 00664 uint32_t max_bytes_subkeyname; 00665 00666 /* XXX: max subkey classname length (as if) */ 00667 uint32_t max_bytes_subkeyclassname; 00668 00669 /* XXX: max value name * 2 */ 00670 uint32_t max_bytes_valuename; 00671 00672 /* XXX: max value data size */ 00673 uint32_t max_bytes_value; 00674 00675 /* XXX: Fields of unknown purpose */ 00676 uint32_t unknown1; 00677 uint32_t unknown2; 00678 uint32_t unknown3; 00679 uint32_t unk_index; /* nigel says run time index ? */ 00680 00682 uint32_t num_subkeys; 00683 00685 uint32_t subkeys_off; 00686 00688 uint32_t num_values; 00689 00691 uint32_t values_off; 00692 00694 uint32_t sk_off; 00695 } REGFI_NK; 00696 00697 00698 typedef struct _regfi_raw_file 00699 { 00700 int64_t (* seek)(); /* (REGFI_RAW_FILE* self, uint64_t offset, int whence) */ 00701 ssize_t (* read)(); /* (REGFI_RAW_FILE* self, void* buf, size_t count) */ 00702 00703 uint64_t cur_off; 00704 uint64_t size; 00705 void* state; 00706 } REGFI_RAW_FILE; 00707 00708 00724 typedef struct _regfi_file 00725 { 00726 /* Data parsed from file header */ 00727 /********************************/ 00728 uint8_t magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */ 00729 00730 /* These sequence numbers should match if 00731 * the hive was properly synced to disk. 00732 */ 00733 uint32_t sequence1; 00734 uint32_t sequence2; 00735 00736 REGFI_NTTIME mtime; 00737 uint32_t major_version; /* Set to 1 in all known hives */ 00738 uint32_t minor_version; /* Set to 3 or 5 in all known hives */ 00739 uint32_t type; /* XXX: Unverified. Set to 0 in all known hives */ 00740 uint32_t format; /* XXX: Unverified. Set to 1 in all known hives */ 00741 00742 uint32_t root_cell; /* Offset to root cell in the first (or any?) hbin block */ 00743 uint32_t last_block; /* Offset to last hbin block in file */ 00744 00745 uint32_t cluster; /* XXX: Unverified. Set to 1 in all known hives */ 00746 00747 /* Matches hive's base file name. Stored in UTF-16LE */ 00748 uint8_t file_name[REGFI_REGF_NAME_SIZE]; 00749 00750 WINSEC_UUID* rm_id; /* XXX: Unverified. */ 00751 WINSEC_UUID* log_id; /* XXX: Unverified. */ 00752 WINSEC_UUID* tm_id; /* XXX: Unverified. */ 00753 uint32_t flags; /* XXX: Unverified. */ 00754 uint32_t guid_signature; /* XXX: Unverified. */ 00755 00756 uint32_t checksum; /* Stored checksum from file */ 00757 uint32_t computed_checksum; /* Our own calculation of the checksum. 00758 * (XOR of bytes 0x0000 - 0x01FB) */ 00759 00760 WINSEC_UUID* thaw_tm_id; /* XXX: Unverified. */ 00761 WINSEC_UUID* thaw_rm_id; /* XXX: Unverified. */ 00762 WINSEC_UUID* thaw_log_id; /* XXX: Unverified. */ 00763 uint32_t boot_type; /* XXX: Unverified. */ 00764 uint32_t boot_recover; /* XXX: Unverified. */ 00765 00766 /* This seems to include random junk. Possibly unsanitized memory left over 00767 * from when header block was written. For instance, chunks of nk records 00768 * can be found, though often it's all 0s. */ 00769 uint8_t reserved1[REGFI_REGF_RESERVED1_SIZE]; 00770 00771 /* This is likely reserved and unusued currently. (Should be all 0s.) 00772 * Included here for easier access in looking for hidden data 00773 * or doing research. */ 00774 uint8_t reserved2[REGFI_REGF_RESERVED2_SIZE]; 00775 00776 00777 /* Run-time information */ 00778 /************************/ 00779 /* For sanity checking (not part of the registry header) */ 00780 uint32_t file_length; 00781 00784 REGFI_ENCODING string_encoding; 00785 00786 /* Functions for accessing the file */ 00787 REGFI_RAW_FILE* cb; 00788 00789 /* Mutex for all cb access. This is done to prevent one thread from moving 00790 * the file offset while another thread is in the middle of a multi-read 00791 * parsing transaction */ 00792 pthread_mutex_t cb_lock; 00793 00794 /* Metadata about hbins */ 00795 range_list* hbins; 00796 00797 /* Multiple read access allowed, write access is exclusive */ 00798 pthread_rwlock_t hbins_lock; 00799 00800 /* Small number of SK records cached */ 00801 lru_cache* sk_cache; 00802 00803 /* Need exclusive access for LRUs, since lookups make changes */ 00804 pthread_mutex_t sk_lock; 00805 00806 /* Limited number of keys cached */ 00807 lru_cache* nk_cache; 00808 00809 /* Need exclusive access for LRUs, since lookups make changes */ 00810 pthread_mutex_t nk_lock; 00811 00812 /* Needed to protect various talloc calls */ 00813 pthread_mutex_t mem_lock; 00814 00815 } REGFI_FILE; 00816 00817 00818 typedef struct _regfi_iter_position 00819 { 00820 /* key offset */ 00821 uint32_t offset; 00822 00823 /* Index of the current subkey */ 00824 uint32_t cur_subkey; 00825 00826 /* Index of the current value */ 00827 uint32_t cur_value; 00828 00829 /* The number of subkeys of this key */ 00830 uint32_t num_subkeys; 00831 00832 /* The number of values of this key */ 00833 uint32_t num_values; 00834 00835 } REGFI_ITER_POSITION; 00836 00837 00841 typedef struct _regfi_iterator 00842 { 00844 REGFI_FILE* f; 00845 00847 void_stack* key_positions; 00848 00849 REGFI_ITER_POSITION* cur; 00850 } REGFI_ITERATOR; 00851 00852 00853 00857 typedef struct _regfi_buffer 00858 { 00859 uint8_t* buf; 00860 uint32_t len; 00861 } REGFI_BUFFER; 00862 00863 00864 00865 /******************************************************************************/ 00872 /******************************************************************************/ 00873 00874 00875 00882 _EXPORT() 00883 const char* regfi_version(); 00884 00885 00904 _EXPORT() 00905 REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding); 00906 00907 00928 _EXPORT() 00929 REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb, 00930 REGFI_ENCODING output_encoding); 00931 00932 00939 _EXPORT() 00940 void regfi_free(REGFI_FILE* file); 00941 00942 00950 _EXPORT() 00951 char* regfi_log_get_str(); 00952 00953 00980 _EXPORT() 00981 bool regfi_log_set_mask(uint16_t mask); 00982 00983 00991 _EXPORT() 00992 const REGFI_NK* regfi_get_rootkey(REGFI_FILE* file); 00993 00994 01010 _EXPORT() 01011 void regfi_free_record(REGFI_FILE* file, const void* record); 01012 01013 01037 _EXPORT() 01038 const void* regfi_reference_record(REGFI_FILE* file, const void* record); 01039 01040 01052 _EXPORT() 01053 uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key); 01054 01055 01067 _EXPORT() 01068 uint32_t regfi_fetch_num_values(const REGFI_NK* key); 01069 01070 01081 _EXPORT() 01082 const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file, 01083 const REGFI_NK* key); 01084 01085 01095 _EXPORT() 01096 const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key); 01097 01098 01113 _EXPORT() 01114 const REGFI_SK* regfi_next_sk(REGFI_FILE* file, const REGFI_SK* sk); 01115 01116 01131 _EXPORT() 01132 const REGFI_SK* regfi_prev_sk(REGFI_FILE* file, const REGFI_SK* sk); 01133 01134 01145 _EXPORT() 01146 const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file, 01147 const REGFI_VK* value); 01148 01149 01164 _EXPORT() 01165 bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key, 01166 const char* name, uint32_t* index); 01167 01168 01183 _EXPORT() 01184 bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key, 01185 const char* name, uint32_t* index); 01186 01187 01198 _EXPORT() 01199 const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key, 01200 uint32_t index); 01201 01202 01213 _EXPORT() 01214 const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key, 01215 uint32_t index); 01216 01217 01218 01228 _EXPORT() 01229 const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key); 01230 01231 01232 /******************************************************************************/ 01240 /******************************************************************************/ 01241 01251 _EXPORT() 01252 REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file); 01253 01254 01263 _EXPORT() 01264 void regfi_iterator_free(REGFI_ITERATOR* i); 01265 01266 01280 _EXPORT() 01281 bool regfi_iterator_down(REGFI_ITERATOR* i); 01282 01283 01293 _EXPORT() 01294 bool regfi_iterator_up(REGFI_ITERATOR* i); 01295 01296 01305 _EXPORT() 01306 bool regfi_iterator_to_root(REGFI_ITERATOR* i); 01307 01308 01327 _EXPORT() 01328 bool regfi_iterator_descend(REGFI_ITERATOR* i, const char** path); 01329 01330 01340 _EXPORT() 01341 const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i); 01342 01343 01353 _EXPORT() 01354 bool regfi_iterator_first_subkey(REGFI_ITERATOR* i); 01355 01356 01367 _EXPORT() 01368 const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i); 01369 01370 01379 _EXPORT() 01380 bool regfi_iterator_next_subkey(REGFI_ITERATOR* i); 01381 01382 01394 _EXPORT() 01395 bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name); 01396 01397 01407 _EXPORT() 01408 bool regfi_iterator_first_value(REGFI_ITERATOR* i); 01409 01410 01421 _EXPORT() 01422 const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i); 01423 01424 01433 _EXPORT() 01434 bool regfi_iterator_next_value(REGFI_ITERATOR* i); 01435 01436 01448 _EXPORT() 01449 bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name); 01450 01451 01467 _EXPORT() 01468 const REGFI_NK** regfi_iterator_ancestry(REGFI_ITERATOR* i); 01469 01470 01471 /******************************************************************************/ 01475 /******************************************************************************/ 01476 01483 _EXPORT() 01484 REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset, 01485 bool strict); 01486 01487 01494 _EXPORT() 01495 REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset, 01496 bool strict); 01497 01498 01505 _EXPORT() 01506 REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset, 01507 uint32_t num_keys, uint32_t max_size, 01508 bool strict); 01509 01510 01517 _EXPORT() 01518 REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset, 01519 uint32_t num_values, uint32_t max_size, 01520 bool strict); 01521 01522 01530 _EXPORT() 01531 REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset, 01532 uint32_t length, bool data_in_offset, 01533 bool strict); 01534 01535 01542 _EXPORT() 01543 REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file, uint32_t offset, 01544 uint32_t data_length,uint32_t cell_length, 01545 range_list* used_ranges, 01546 bool strict); 01547 01548 01556 _EXPORT() 01557 bool regfi_interpret_data(REGFI_FILE* file, 01558 uint32_t type, REGFI_DATA* data); 01559 01560 01561 01562 /* These are cached so return values don't need to be freed. */ 01563 01570 _EXPORT() 01571 const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset, 01572 bool strict); 01573 01574 01575 01576 01583 _EXPORT() 01584 const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset); 01585 01586 01587 01588 /******************************************************************************/ 01592 /******************************************************************************/ 01593 01594 _EXPORT() 01595 REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict); 01596 01597 _EXPORT() 01598 REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, 01599 bool strict); 01600 01601 01614 _EXPORT() 01615 REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset, 01616 uint32_t max_size, bool strict); 01617 01618 01625 _EXPORT() 01626 REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset, 01627 uint32_t max_size, bool strict); 01628 01629 01636 _EXPORT() 01637 REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset, 01638 uint32_t max_size, bool strict); 01639 01640 01647 _EXPORT() 01648 REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, 01649 uint32_t max_size, bool strict); 01650 01651 01661 _EXPORT() 01662 range_list* regfi_parse_unalloc_cells(REGFI_FILE* file); 01663 01664 01671 _EXPORT() 01672 bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, 01673 uint8_t* hdr, uint32_t hdr_len, 01674 uint32_t* cell_length, bool* unalloc); 01675 01676 01683 _EXPORT() 01684 uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset, 01685 uint16_t* name_length, 01686 uint32_t max_size, bool strict); 01687 01688 01695 _EXPORT() 01696 REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset, 01697 uint32_t length, bool strict); 01698 01699 01707 _EXPORT() 01708 REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset, 01709 uint32_t length, bool strict); 01710 01711 01712 /******************************************************************************/ 01713 /* Private (and undocumented) Functions */ 01714 /******************************************************************************/ 01715 int64_t regfi_raw_seek(REGFI_RAW_FILE* self, 01716 uint64_t offset, int whence); 01717 ssize_t regfi_raw_read(REGFI_RAW_FILE* self, 01718 void* buf, size_t count); 01719 _EXPORT() 01720 uint64_t regfi_seek(REGFI_RAW_FILE* file_cb, 01721 uint64_t offset, int whence); 01722 _EXPORT() 01723 uint32_t regfi_read(REGFI_RAW_FILE* file_cb, 01724 uint8_t* buf, uint32_t* length); 01725 01726 _EXPORT() 01727 const char* regfi_type_val2str(unsigned int val); 01728 _EXPORT() 01729 int regfi_type_str2val(const char* str); 01730 01731 _EXPORT() 01732 char* regfi_get_sacl(WINSEC_DESC* sec_desc); 01733 _EXPORT() 01734 char* regfi_get_dacl(WINSEC_DESC* sec_desc); 01735 _EXPORT() 01736 char* regfi_get_owner(WINSEC_DESC* sec_desc); 01737 _EXPORT() 01738 char* regfi_get_group(WINSEC_DESC* sec_desc); 01739 01740 REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists, 01741 REGFI_SUBKEY_LIST** lists, 01742 bool strict); 01743 REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset, 01744 uint32_t max_size, bool strict, 01745 uint8_t depth_left); 01746 void regfi_add_message(REGFI_FILE* file, uint16_t msg_type, 01747 const char* fmt, ...); 01748 REGFI_NK* regfi_copy_nk(const REGFI_NK* nk); 01749 REGFI_VK* regfi_copy_vk(const REGFI_VK* vk); 01750 _EXPORT() 01751 int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset); 01752 REGFI_BUFFER regfi_conv_charset(const char* input_charset, const char* output_charset, 01753 uint8_t* input, uint32_t input_len); 01754 _EXPORT() 01755 REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data); 01756 01757 /* XXX: move to base API and document */ 01758 _EXPORT() 01759 REGFI_NTTIME regfi_unix2nt_time(time_t t); 01760 _EXPORT() 01761 double regfi_nt2unix_time(REGFI_NTTIME nt); 01762 01763 01764 _EXPORT() 01765 void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk, bool strict); 01766 _EXPORT() 01767 void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk, bool strict); 01768 01769 _EXPORT() 01770 void regfi_init(); 01771 01772 01773 #endif /* _REGFI_H */
