regfi.h

Go to the documentation of this file.

/*
 * Copyright (C) 2005-2011 Timothy D. Morgan
 * Copyright (C) 2010 Michael Cohen
 * Copyright (C) 2005 Gerald (Jerry) Carter
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 3 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 *
 * $Id$
 */
 
#ifndef _REGFI_H
#define _REGFI_H
 
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <iconv.h>
#include <pthread.h>
#include <talloc.h>
 
/* regfi headers */
#include "compat.h"
#include "byteorder.h"
#include "winsec.h"
#include "void_stack.h"
#include "range_list.h"
#include "lru_cache.h"
 
/******************************************************************************/
/* Constants for use while interacting with the library                       */
/******************************************************************************/
 
/* regfi library error message types */
#define REGFI_LOG_INFO  0x0001
#define REGFI_LOG_WARN  0x0004
#define REGFI_LOG_ERROR 0x0010
#define REGFI_DEFAULT_LOG_MASK REGFI_LOG_ERROR|REGFI_LOG_WARN
 
/* regfi library supported character encodings */
/* UTF16LE is not supported for output */
typedef enum {
  REGFI_ENCODING_DEFAULT  = 0,
  REGFI_ENCODING_ASCII =   0,
  REGFI_ENCODING_UTF8  =  1,
  REGFI_ENCODING_UTF16LE = 2,
  REGFI_NUM_ENCODINGS  =  3
} REGFI_ENCODING;
 
/* Registry data types */
typedef enum {
  REG_NONE                   =    0,
  REG_SZ                     =    1,
  REG_EXPAND_SZ              =    2,
  REG_BINARY                 =    3,
  REG_DWORD                  =    4,
  REG_DWORD_LE               =    4 , /* DWORD, little endian */
  REG_DWORD_BE               =    5 , /* DWORD, big endian */
  REG_LINK                   =    6,
  REG_MULTI_SZ               =    7,
  REG_RESOURCE_LIST          =    8,
  REG_FULL_RESOURCE_DESCRIPTOR=   9,
  REG_RESOURCE_REQUIREMENTS_LIST= 10,
  REG_QWORD                     = 11, /* 64-bit little endian */
/* XXX: Has MS defined a REG_QWORD_BE? */
/* Not a real type in the registry */
  REG_KEY                 =   0x7FFFFFFF
} REGFI_DATA_TYPE;
#define REGFI_OFFSET_NONE          0xffffffff
 
 
 
/******************************************************************************/
/* Various resource limits and related constants                              */
/******************************************************************************/
 
/* Flags determining how many records to cache internally */
#define REGFI_CACHE_SK_MAX         64
#define REGFI_CACHE_NK_MAX         1024
 
/* This maximum depth is described here:
 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
 */
#define REGFI_MAX_DEPTH            512
 
/* This limit defines the maximum number of levels deep that ri subkey list
 * trees can go.
 */
/* XXX: This is totally arbitrary right now.
 *      The actual limit may need to be discovered by experimentation.
 */
#define REGFI_MAX_SUBKEY_DEPTH     255
 
 
/******************************************************************************/
/* Symbols for internal use                                                   */
/******************************************************************************/
 
/* Global thread-local storage key */
pthread_key_t regfi_log_key;
 
/* Header sizes and magic number lengths for various records */
#define REGFI_HBIN_ALLOC           0x1000 /* Minimum allocation unit for HBINs */
#define REGFI_REGF_SIZE            0x1000 /* "regf" header block size */
#define REGFI_REGF_MAGIC_SIZE      4
#define REGFI_REGF_NAME_SIZE       64
#define REGFI_REGF_RESERVED1_SIZE  340
#define REGFI_REGF_RESERVED2_SIZE  3528
#define REGFI_HBIN_MAGIC_SIZE      4
#define REGFI_CELL_MAGIC_SIZE      2
#define REGFI_HBIN_HEADER_SIZE     0x20
#define REGFI_NK_MIN_LENGTH        0x4C
#define REGFI_VK_MIN_LENGTH        0x14
#define REGFI_SK_MIN_LENGTH        0x14
#define REGFI_SUBKEY_LIST_MIN_LEN  0x4
#define REGFI_BIG_DATA_MIN_LENGTH  0xC
 
 
/* Constants used for validation */
/* XXX: Can we add clock resolution validation as well as range?  It has
 *      been reported that Windows timestamps are never more than a
 *      certain granularity (250ms?), which could be used to help
 *      eliminate false positives.  Would need to verify this and
 *      perhaps conservatively implement a check.
 */
 /* Minimum time is Jan 1, 1990 00:00:00 */
#define REGFI_MTIME_MIN            0x01B41E6D00000000L
 
 /* Maximum time is Jan 1, 2290 00:00:00
  * (We hope no one is using Windows by then...) 
  */
#define REGFI_MTIME_MAX            0x0304754300000000L
 
 
/* Flags for the vk records */
#define REGFI_VK_FLAG_ASCIINAME    0x0001
#define REGFI_VK_DATA_IN_OFFSET    0x80000000
#define REGFI_VK_MAX_DATA_LENGTH   1024*1024  /* XXX: This is arbitrary */
 
 
/* Known key flags */
/*******************/
/* These next two show up on normal-seeming keys in Vista and W2K3 registries */
#define REGFI_NK_FLAG_UNKNOWN1     0x4000
#define REGFI_NK_FLAG_UNKNOWN2     0x1000
 
/* This next one shows up in some Vista "software" registries */
/* XXX: This shows up in the following two SOFTWARE keys in Vista:
 *   /Wow6432Node/Microsoft
 *   /Wow6432Node/Microsoft/Cryptography
 *  
 * It comes along with UNKNOWN2 and ASCIINAME for a total flags value of 0x10A0
 */
#define REGFI_NK_FLAG_UNKNOWN3     0x0080
 
/* Predefined handle.  Rumor has it that the valuelist count for this key is 
 * where the handle is stored.
 * http://msdn.microsoft.com/en-us/library/ms724836(VS.85).aspx
 */
#define REGFI_NK_FLAG_PREDEF_KEY   0x0040
 
/* The name will be in ASCII if this next bit is set, otherwise UTF-16LE */
#define REGFI_NK_FLAG_ASCIINAME    0x0020
 
/* Symlink key.  
 * See: http://www.codeproject.com/KB/system/regsymlink.aspx 
 */
#define REGFI_NK_FLAG_LINK         0x0010
 
/* This key cannot be deleted */
#define REGFI_NK_FLAG_NO_RM        0x0008
 
/* Root of a hive */
#define REGFI_NK_FLAG_ROOT         0x0004
 
/* Mount point of another hive.  NULL/(default) value indicates which hive 
 * and where in the hive it points to. 
 */
#define REGFI_NK_FLAG_HIVE_LINK    0x0002 
 
/* These keys shouldn't be stored on disk, according to:
 * http://geekswithblogs.net/sdorman/archive/2007/12/24/volatile-registry-keys.aspx
 */
#define REGFI_NK_FLAG_VOLATILE     0x0001
 
/* Useful for identifying unknown flag types */
#define REGFI_NK_KNOWN_FLAGS       (REGFI_NK_FLAG_PREDEF_KEY\
                                    | REGFI_NK_FLAG_ASCIINAME\
                                    | REGFI_NK_FLAG_LINK\
                                    | REGFI_NK_FLAG_NO_RM\
                                    | REGFI_NK_FLAG_ROOT\
                                    | REGFI_NK_FLAG_HIVE_LINK\
                                    | REGFI_NK_FLAG_VOLATILE\
                                    | REGFI_NK_FLAG_UNKNOWN1\
                                    | REGFI_NK_FLAG_UNKNOWN2\
                                    | REGFI_NK_FLAG_UNKNOWN3)
 
 
#ifndef CHAR_BIT
#define CHAR_BIT 8
#endif
 
#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
                    : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
#define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
#define REGFI_TIME_FIXUP (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
 
 
 
/******************************************************************************/
/* Structures                                                                 */
/******************************************************************************/
 
typedef uint64_t REGFI_NTTIME;
 
typedef struct _regfi_log
{
  /* Error/warning/info messages returned by lower layer functions */
  char* messages;
 
  /* Mask for error message types that will be stored. */
  uint16_t msg_mask;
 
} REGFI_LOG;
 
 
typedef struct _regfi_hbin 
{
  uint32_t file_off;
 
  uint32_t ref_count;
 
  uint32_t first_hbin_off;
 
  uint32_t block_size;
 
  uint32_t next_block;
 
  uint8_t magic[REGFI_HBIN_MAGIC_SIZE];
} REGFI_HBIN;
 
 
/* Subkey List -- list of key offsets and hashed names for consistency */
typedef struct 
{
  /* Virtual offset of NK record or additional subkey list, 
   * depending on this list's type. 
   */
  uint32_t offset;
 
  uint32_t hash;
} REGFI_SUBKEY_LIST_ELEM;
 
 
typedef struct _regfi_subkey_list
{
  /* Real offset of this record's cell in the file */
  uint32_t offset;
 
  uint32_t cell_size;
  
  /* Number of immediate children */
  uint32_t num_children;
 
  /* Total number of keys referenced by this list and its children */
  uint32_t num_keys;
 
  REGFI_SUBKEY_LIST_ELEM* elements;
  uint8_t magic[REGFI_CELL_MAGIC_SIZE];
 
  /* Set if the magic indicates this subkey list points to child subkey lists */
  bool recursive_type;
} REGFI_SUBKEY_LIST;
 
 
typedef uint32_t REGFI_VALUE_LIST_ELEM;
typedef struct _regfi_value_list
{
  /* Real offset of this record's cell in the file */
  uint32_t offset;
 
  uint32_t cell_size;
 
  /* Actual number of values referenced by this list.  
   * May differ from parent key's num_values if there were parsing errors. 
   */
  uint32_t num_values;
 
  REGFI_VALUE_LIST_ELEM* elements;
} REGFI_VALUE_LIST;
 
 
typedef struct _regfi_classname
{
  uint32_t offset;
 
  char* interpreted;
 
  uint8_t* raw;
 
  uint16_t size;
} REGFI_CLASSNAME;
 
 
typedef struct _regfi_data
{
  /* XXX: this isn't populated yet. Should set it to start of data cell
   *      or big data cell. 
   */
  uint32_t offset;
 
  REGFI_DATA_TYPE type;
 
  uint32_t size;
 
  uint8_t* raw;
 
  uint32_t interpreted_size;
 
  union _regfi_data_interpreted
  {
    uint8_t* none; 
 
    uint8_t* string;
 
    uint8_t* expand_string;
 
    uint8_t* binary;
 
    uint32_t dword;
 
    uint32_t dword_be;
 
    uint8_t* link;
 
    uint8_t** multiple_string;
 
    uint64_t qword;
 
    /* The following are treated as binary currently, but this may change in
     * the future as the formats become better understood.
     */
 
    uint8_t* resource_list;
 
    uint8_t* full_resource_descriptor;
 
    uint8_t* resource_requirements_list;
  } interpreted;
} REGFI_DATA;
 
 
typedef struct _regfi_vk
{
  uint32_t offset;      
 
  uint32_t cell_size;
 
  char* name;
 
  uint8_t* name_raw;
 
  uint16_t name_length;
 
  uint32_t hbin_off;
  
  uint32_t data_size;
 
  uint32_t data_off;
 
  REGFI_DATA_TYPE type;
 
  uint8_t  magic[REGFI_CELL_MAGIC_SIZE];
 
  uint16_t flags;
 
  /* XXX: A 2-byte field of unknown purpose stored in the VK record */
  uint16_t unknown1;
 
  bool     data_in_offset;
 
  /* XXX: deprecated */
  REGFI_DATA* data;
 
} REGFI_VK;
 
 
/* Key Security */
struct _regfi_sk;
 
typedef struct _regfi_sk 
{
  uint32_t offset;
 
  uint32_t cell_size;
 
  WINSEC_DESC* sec_desc;
 
  uint32_t hbin_off;
  
  uint32_t prev_sk_off;
 
  uint32_t next_sk_off;
 
  uint32_t ref_count;
 
  uint32_t desc_size;
 
  /* XXX: A 2-byte field of unknown purpose */
  uint16_t unknown_tag;
 
  uint8_t  magic[REGFI_CELL_MAGIC_SIZE];
} REGFI_SK;
 
 
typedef struct _regfi_nk
{
  uint32_t offset;
 
  uint32_t cell_size;
 
  REGFI_VALUE_LIST* values;
 
 
  REGFI_SUBKEY_LIST* subkeys;
  
  uint16_t flags;
 
  uint8_t  magic[REGFI_CELL_MAGIC_SIZE];
 
  REGFI_NTTIME mtime;
 
  uint16_t name_length;
 
  uint16_t classname_length;
 
  char* name;
 
  uint8_t* name_raw;
 
  uint32_t parent_off;
 
  uint32_t classname_off;
  
  /* XXX: max subkey name * 2 */
  uint32_t max_bytes_subkeyname;
 
  /* XXX: max subkey classname length (as if) */
  uint32_t max_bytes_subkeyclassname;
 
  /* XXX: max value name * 2 */
  uint32_t max_bytes_valuename;
 
  /* XXX: max value data size */
  uint32_t max_bytes_value;
  
  /* XXX: Fields of unknown purpose */
  uint32_t unknown1;
  uint32_t unknown2;
  uint32_t unknown3;
  uint32_t unk_index;               /* nigel says run time index ? */
  
  uint32_t num_subkeys;
 
  uint32_t subkeys_off;
 
  uint32_t num_values;
 
  uint32_t values_off;
 
  uint32_t sk_off;
} REGFI_NK;
 
 
typedef struct _regfi_raw_file
{
  int64_t  (* seek)(); /* (REGFI_RAW_FILE* self, uint64_t offset, int whence) */
  ssize_t  (* read)(); /* (REGFI_RAW_FILE* self, void* buf, size_t count) */
 
  uint64_t cur_off;
  uint64_t size;
  void*    state;
} REGFI_RAW_FILE;
 
 
typedef struct _regfi_file
{
  /* Data parsed from file header */
  /********************************/
  uint8_t  magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */
 
 /* These sequence numbers should match if
  * the hive was properly synced to disk.
  */
  uint32_t sequence1;            
  uint32_t sequence2;
 
  REGFI_NTTIME mtime;
  uint32_t major_version;  /* Set to 1 in all known hives */
  uint32_t minor_version;  /* Set to 3 or 5 in all known hives */
  uint32_t type;           /* XXX: Unverified.  Set to 0 in all known hives */
  uint32_t format;         /* XXX: Unverified.  Set to 1 in all known hives */
 
  uint32_t root_cell;  /* Offset to root cell in the first (or any?) hbin block */
  uint32_t last_block; /* Offset to last hbin block in file */
 
  uint32_t cluster;    /* XXX: Unverified. Set to 1 in all known hives */
 
  /* Matches hive's base file name. Stored in UTF-16LE */
  uint8_t file_name[REGFI_REGF_NAME_SIZE];
 
  WINSEC_UUID* rm_id;       /* XXX: Unverified. */
  WINSEC_UUID* log_id;      /* XXX: Unverified. */
  WINSEC_UUID* tm_id;       /* XXX: Unverified. */
  uint32_t flags;             /* XXX: Unverified. */
  uint32_t guid_signature;    /* XXX: Unverified. */
 
  uint32_t checksum;          /* Stored checksum from file */
  uint32_t computed_checksum; /* Our own calculation of the checksum. 
                             * (XOR of bytes 0x0000 - 0x01FB) */
 
  WINSEC_UUID* thaw_tm_id;  /* XXX: Unverified. */
  WINSEC_UUID* thaw_rm_id;  /* XXX: Unverified. */
  WINSEC_UUID* thaw_log_id; /* XXX: Unverified. */
  uint32_t boot_type;         /* XXX: Unverified. */
  uint32_t boot_recover;      /* XXX: Unverified. */
 
  /* This seems to include random junk.  Possibly unsanitized memory left over
   * from when header block was written.  For instance, chunks of nk records 
   * can be found, though often it's all 0s. */
  uint8_t reserved1[REGFI_REGF_RESERVED1_SIZE];
 
  /* This is likely reserved and unusued currently.  (Should be all 0s.)
   * Included here for easier access in looking for hidden data 
   * or doing research. */
  uint8_t reserved2[REGFI_REGF_RESERVED2_SIZE];
 
 
  /* Run-time information */
  /************************/
  /* For sanity checking (not part of the registry header) */
  uint32_t file_length;
 
  REGFI_ENCODING string_encoding;
 
  /* Functions for accessing the file */
  REGFI_RAW_FILE* cb;
 
  /* Mutex for all cb access.  This is done to prevent one thread from moving
   * the file offset while another thread is in the middle of a multi-read
   * parsing transaction */
  pthread_mutex_t cb_lock;
 
  /* Metadata about hbins */
  range_list* hbins;
 
  /* Multiple read access allowed, write access is exclusive */
  pthread_rwlock_t hbins_lock;
 
  /* Small number of SK records cached */
  lru_cache* sk_cache;
 
  /* Need exclusive access for LRUs, since lookups make changes */
  pthread_mutex_t sk_lock;
 
  /* Limited number of keys cached */
  lru_cache* nk_cache;
 
  /* Need exclusive access for LRUs, since lookups make changes */
  pthread_mutex_t nk_lock;
 
  /* Needed to protect various talloc calls */
  pthread_mutex_t mem_lock;
 
} REGFI_FILE;
 
 
typedef struct _regfi_iter_position
{
  /* key offset */
  uint32_t offset;
 
  /* Index of the current subkey */
  uint32_t cur_subkey;
 
  /* Index of the current value */
  uint32_t cur_value;
 
  /* The number of subkeys of this key */
  uint32_t num_subkeys;
 
  /* The number of values of this key */
  uint32_t num_values;
 
} REGFI_ITER_POSITION;
 
 
typedef struct _regfi_iterator
{
  REGFI_FILE* f;
 
  void_stack* key_positions;
 
  REGFI_ITER_POSITION* cur;
} REGFI_ITERATOR;
 
 
 
typedef struct _regfi_buffer
{
  uint8_t* buf;
  uint32_t len;
} REGFI_BUFFER;
 
 
 
/******************************************************************************/
/******************************************************************************/
 
 
 
_EXPORT()
const char* regfi_version();
 
 
_EXPORT()
REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding);
 
 
_EXPORT()
REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb,
                           REGFI_ENCODING output_encoding);
 
 
_EXPORT()
void regfi_free(REGFI_FILE* file);
 
 
_EXPORT()
char* regfi_log_get_str();
 
 
_EXPORT()
bool regfi_log_set_mask(uint16_t mask);
 
 
_EXPORT()
const REGFI_NK*       regfi_get_rootkey(REGFI_FILE* file);
 
 
_EXPORT()
void regfi_free_record(REGFI_FILE* file, const void* record);
 
 
_EXPORT()
const void* regfi_reference_record(REGFI_FILE* file, const void* record);
 
 
_EXPORT()
uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key);
 
 
_EXPORT()
uint32_t regfi_fetch_num_values(const REGFI_NK* key);
 
 
_EXPORT()
const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file, 
                                             const REGFI_NK* key);
 
 
_EXPORT()
const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key);
 
 
_EXPORT()
const REGFI_SK* regfi_next_sk(REGFI_FILE* file, const REGFI_SK* sk);
 
 
_EXPORT()
const REGFI_SK* regfi_prev_sk(REGFI_FILE* file, const REGFI_SK* sk);
 
 
_EXPORT()
const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file,
                                   const REGFI_VK* value);
 
 
_EXPORT()
bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key, 
                       const char* name, uint32_t* index);
 
 
_EXPORT()
bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key,
                      const char* name, uint32_t* index);
 
 
_EXPORT()
const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key, 
                                 uint32_t index);
 
 
_EXPORT()
const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key, 
                                uint32_t index);
 
 
 
_EXPORT()
const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key);
 
 
/******************************************************************************/
/******************************************************************************/
 
_EXPORT()
REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file);
 
 
_EXPORT()
void regfi_iterator_free(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_down(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_up(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_to_root(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_descend(REGFI_ITERATOR* i, const char** path);
 
 
_EXPORT()
const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_first_subkey(REGFI_ITERATOR* i);
 
 
_EXPORT()
const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_next_subkey(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name);
 
 
_EXPORT()
bool regfi_iterator_first_value(REGFI_ITERATOR* i);
 
 
_EXPORT()
const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_next_value(REGFI_ITERATOR* i);
 
 
_EXPORT()
bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name);
 
 
_EXPORT()
const REGFI_NK** regfi_iterator_ancestry(REGFI_ITERATOR* i);
 
 
/******************************************************************************/
/******************************************************************************/
 
_EXPORT()
REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset, 
                         bool strict);
 
 
_EXPORT()
REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset, 
                           bool strict);
 
 
_EXPORT()
REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
                                         uint32_t num_keys, uint32_t max_size,
                                         bool strict);
 
 
_EXPORT()
REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset, 
                                       uint32_t num_values, uint32_t max_size,
                                       bool strict);
 
 
_EXPORT()
REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
                             uint32_t length, bool data_in_offset,
                             bool strict);
 
 
_EXPORT()
REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file, uint32_t offset, 
                                 uint32_t data_length,uint32_t cell_length,
                                 range_list* used_ranges,
                                 bool strict);
 
 
_EXPORT()
bool regfi_interpret_data(REGFI_FILE* file, 
                          uint32_t type, REGFI_DATA* data);
 
 
 
/* These are cached so return values don't need to be freed. */
 
_EXPORT()
const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset,
                              bool strict);
 
 
 
 
_EXPORT()
const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset);
 
 
 
/******************************************************************************/
/******************************************************************************/
 
_EXPORT()
REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict);
 
_EXPORT()
REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, 
                             bool strict);
 
 
_EXPORT()
REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
                             uint32_t max_size, bool strict);
 
 
_EXPORT()
REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
                                          uint32_t max_size, bool strict);
 
 
_EXPORT()
REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset, 
                             uint32_t max_size, bool strict);
 
 
_EXPORT()
REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, 
                             uint32_t max_size, bool strict);
 
 
_EXPORT()
range_list* regfi_parse_unalloc_cells(REGFI_FILE* file);
 
 
_EXPORT()
bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset,
                      uint8_t* hdr, uint32_t hdr_len,
                      uint32_t* cell_length, bool* unalloc);
 
 
_EXPORT()
uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
                               uint16_t* name_length, 
                               uint32_t max_size, bool strict);
 
 
_EXPORT()
REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
                              uint32_t length, bool strict);
 
 
_EXPORT()
REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset, 
                                     uint32_t length, bool strict);
 
 
/******************************************************************************/
/*    Private (and undocumented) Functions                                    */
/******************************************************************************/
int64_t               regfi_raw_seek(REGFI_RAW_FILE* self, 
                                     uint64_t offset, int whence);
ssize_t               regfi_raw_read(REGFI_RAW_FILE* self, 
                                     void* buf, size_t count);
_EXPORT()
uint64_t              regfi_seek(REGFI_RAW_FILE* file_cb, 
                                 uint64_t offset, int whence);
_EXPORT()
uint32_t              regfi_read(REGFI_RAW_FILE* file_cb, 
                                 uint8_t* buf, uint32_t* length);
 
_EXPORT()
const char*           regfi_type_val2str(unsigned int val);
_EXPORT()
int                   regfi_type_str2val(const char* str);
 
_EXPORT()
char*                 regfi_get_sacl(WINSEC_DESC* sec_desc);
_EXPORT()
char*                 regfi_get_dacl(WINSEC_DESC* sec_desc);
_EXPORT()
char*                 regfi_get_owner(WINSEC_DESC* sec_desc);
_EXPORT()
char*                 regfi_get_group(WINSEC_DESC* sec_desc);
 
REGFI_SUBKEY_LIST*    regfi_merge_subkeylists(uint16_t num_lists, 
                                              REGFI_SUBKEY_LIST** lists,
                                              bool strict);
REGFI_SUBKEY_LIST*    regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
                                                uint32_t max_size, bool strict,
                                                uint8_t depth_left);
void                  regfi_add_message(REGFI_FILE* file, uint16_t msg_type, 
                                        const char* fmt, ...);
REGFI_NK*             regfi_copy_nk(const REGFI_NK* nk);
REGFI_VK*             regfi_copy_vk(const REGFI_VK* vk);
_EXPORT()
int32_t               regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset);
REGFI_BUFFER          regfi_conv_charset(const char* input_charset, const char* output_charset,
                                         uint8_t* input, uint32_t input_len);
_EXPORT()
REGFI_DATA*           regfi_buffer_to_data(REGFI_BUFFER raw_data);
 
/* XXX: move to base API and document */
_EXPORT()
REGFI_NTTIME          regfi_unix2nt_time(time_t t);
_EXPORT()
double                regfi_nt2unix_time(REGFI_NTTIME nt);
 
 
_EXPORT()
void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk, bool strict);
_EXPORT()
void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk, bool strict);
 
_EXPORT()
void regfi_init();
 
 
#endif  /* _REGFI_H */