regfi
Loading...
Searching...
No Matches
regfi.h
Go to the documentation of this file.
1/*
2 * Copyright (C) 2005-2011 Timothy D. Morgan
3 * Copyright (C) 2010 Michael Cohen
4 * Copyright (C) 2005 Gerald (Jerry) Carter
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; version 3 of the License.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 *
19 * $Id: regfi.h 263 2011-06-18 00:06:51Z tim $
20 */
21
58#ifndef _REGFI_H
59#define _REGFI_H
60
61#include <stdlib.h>
62#include <stdio.h>
63#include <stdbool.h>
64#include <string.h>
65#include <errno.h>
66#include <time.h>
67#include <fcntl.h>
68#include <sys/stat.h>
69#include <sys/types.h>
70#include <unistd.h>
71#include <iconv.h>
72#include <pthread.h>
73#include <talloc.h>
74
75/* regfi headers */
76#include "compat.h"
77#include "byteorder.h"
78#include "winsec.h"
79#include "void_stack.h"
80#include "range_list.h"
81#include "lru_cache.h"
82
83/******************************************************************************/
84/* Constants for use while interacting with the library */
85/******************************************************************************/
86
87/* regfi library error message types */
88#define REGFI_LOG_INFO 0x0001
89#define REGFI_LOG_WARN 0x0004
90#define REGFI_LOG_ERROR 0x0010
91#define REGFI_DEFAULT_LOG_MASK REGFI_LOG_ERROR|REGFI_LOG_WARN
92
93/* regfi library supported character encodings */
94/* UTF16LE is not supported for output */
95typedef enum {
96 REGFI_ENCODING_DEFAULT = 0,
97 REGFI_ENCODING_ASCII = 0,
98 REGFI_ENCODING_UTF8 = 1,
99 REGFI_ENCODING_UTF16LE = 2,
100 REGFI_NUM_ENCODINGS = 3
101} REGFI_ENCODING;
102
103/* Registry data types */
104typedef enum {
105 REG_NONE = 0,
106 REG_SZ = 1,
107 REG_EXPAND_SZ = 2,
108 REG_BINARY = 3,
109 REG_DWORD = 4,
110 REG_DWORD_LE = 4 , /* DWORD, little endian */
111 REG_DWORD_BE = 5 , /* DWORD, big endian */
112 REG_LINK = 6,
113 REG_MULTI_SZ = 7,
114 REG_RESOURCE_LIST = 8,
115 REG_FULL_RESOURCE_DESCRIPTOR= 9,
116 REG_RESOURCE_REQUIREMENTS_LIST= 10,
117 REG_QWORD = 11, /* 64-bit little endian */
118/* XXX: Has MS defined a REG_QWORD_BE? */
119/* Not a real type in the registry */
120 REG_KEY = 0x7FFFFFFF
121} REGFI_DATA_TYPE;
122#define REGFI_OFFSET_NONE 0xffffffff
123
124
125
126/******************************************************************************/
127/* Various resource limits and related constants */
128/******************************************************************************/
129
130/* Flags determining how many records to cache internally */
131#define REGFI_CACHE_SK_MAX 64
132#define REGFI_CACHE_NK_MAX 1024
133
134/* This maximum depth is described here:
135 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
136 */
137#define REGFI_MAX_DEPTH 512
138
139/* This limit defines the maximum number of levels deep that ri subkey list
140 * trees can go.
141 */
142/* XXX: This is totally arbitrary right now.
143 * The actual limit may need to be discovered by experimentation.
144 */
145#define REGFI_MAX_SUBKEY_DEPTH 255
146
147
148/******************************************************************************/
149/* Symbols for internal use */
150/******************************************************************************/
151
152/* Global thread-local storage key */
153pthread_key_t regfi_log_key;
154
155/* Header sizes and magic number lengths for various records */
156#define REGFI_HBIN_ALLOC 0x1000 /* Minimum allocation unit for HBINs */
157#define REGFI_REGF_SIZE 0x1000 /* "regf" header block size */
158#define REGFI_REGF_MAGIC_SIZE 4
159#define REGFI_REGF_NAME_SIZE 64
160#define REGFI_REGF_RESERVED1_SIZE 340
161#define REGFI_REGF_RESERVED2_SIZE 3528
162#define REGFI_HBIN_MAGIC_SIZE 4
163#define REGFI_CELL_MAGIC_SIZE 2
164#define REGFI_HBIN_HEADER_SIZE 0x20
165#define REGFI_NK_MIN_LENGTH 0x4C
166#define REGFI_VK_MIN_LENGTH 0x14
167#define REGFI_SK_MIN_LENGTH 0x14
168#define REGFI_SUBKEY_LIST_MIN_LEN 0x4
169#define REGFI_BIG_DATA_MIN_LENGTH 0xC
170
171
172/* Constants used for validation */
173/* XXX: Can we add clock resolution validation as well as range? It has
174 * been reported that Windows timestamps are never more than a
175 * certain granularity (250ms?), which could be used to help
176 * eliminate false positives. Would need to verify this and
177 * perhaps conservatively implement a check.
178 */
179 /* Minimum time is Jan 1, 1990 00:00:00 */
180#define REGFI_MTIME_MIN 0x01B41E6D00000000L
181
182 /* Maximum time is Jan 1, 2290 00:00:00
183 * (We hope no one is using Windows by then...)
184 */
185#define REGFI_MTIME_MAX 0x0304754300000000L
186
187
188/* Flags for the vk records */
189#define REGFI_VK_FLAG_ASCIINAME 0x0001
190#define REGFI_VK_DATA_IN_OFFSET 0x80000000
191#define REGFI_VK_MAX_DATA_LENGTH 1024*1024 /* XXX: This is arbitrary */
192
193
194/* Known key flags */
195/*******************/
196/* These next two show up on normal-seeming keys in Vista and W2K3 registries */
197#define REGFI_NK_FLAG_UNKNOWN1 0x4000
198#define REGFI_NK_FLAG_UNKNOWN2 0x1000
199
200/* This next one shows up in some Vista "software" registries */
201/* XXX: This shows up in the following two SOFTWARE keys in Vista:
202 * /Wow6432Node/Microsoft
203 * /Wow6432Node/Microsoft/Cryptography
204 *
205 * It comes along with UNKNOWN2 and ASCIINAME for a total flags value of 0x10A0
206 */
207#define REGFI_NK_FLAG_UNKNOWN3 0x0080
208
209/* Predefined handle. Rumor has it that the valuelist count for this key is
210 * where the handle is stored.
211 * http://msdn.microsoft.com/en-us/library/ms724836(VS.85).aspx
212 */
213#define REGFI_NK_FLAG_PREDEF_KEY 0x0040
214
215/* The name will be in ASCII if this next bit is set, otherwise UTF-16LE */
216#define REGFI_NK_FLAG_ASCIINAME 0x0020
217
218/* Symlink key.
219 * See: http://www.codeproject.com/KB/system/regsymlink.aspx
220 */
221#define REGFI_NK_FLAG_LINK 0x0010
222
223/* This key cannot be deleted */
224#define REGFI_NK_FLAG_NO_RM 0x0008
225
226/* Root of a hive */
227#define REGFI_NK_FLAG_ROOT 0x0004
228
229/* Mount point of another hive. NULL/(default) value indicates which hive
230 * and where in the hive it points to.
231 */
232#define REGFI_NK_FLAG_HIVE_LINK 0x0002
233
234/* These keys shouldn't be stored on disk, according to:
235 * http://geekswithblogs.net/sdorman/archive/2007/12/24/volatile-registry-keys.aspx
236 */
237#define REGFI_NK_FLAG_VOLATILE 0x0001
238
239/* Useful for identifying unknown flag types */
240#define REGFI_NK_KNOWN_FLAGS (REGFI_NK_FLAG_PREDEF_KEY\
241 | REGFI_NK_FLAG_ASCIINAME\
242 | REGFI_NK_FLAG_LINK\
243 | REGFI_NK_FLAG_NO_RM\
244 | REGFI_NK_FLAG_ROOT\
245 | REGFI_NK_FLAG_HIVE_LINK\
246 | REGFI_NK_FLAG_VOLATILE\
247 | REGFI_NK_FLAG_UNKNOWN1\
248 | REGFI_NK_FLAG_UNKNOWN2\
249 | REGFI_NK_FLAG_UNKNOWN3)
250
251
252#ifndef CHAR_BIT
253#define CHAR_BIT 8
254#endif
255
256#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
257 : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
258#define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
259#define REGFI_TIME_FIXUP (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
260
261
262
263/******************************************************************************/
264/* Structures */
265/******************************************************************************/
266
267typedef uint64_t REGFI_NTTIME;
268
269typedef struct _regfi_log
270{
271 /* Error/warning/info messages returned by lower layer functions */
272 char* messages;
273
274 /* Mask for error message types that will be stored. */
275 uint16_t msg_mask;
276
277} REGFI_LOG;
278
279
283typedef struct _regfi_hbin
284{
286 uint32_t file_off;
287
289 uint32_t ref_count;
290
293
295 uint32_t block_size;
296
301 uint32_t next_block;
302
304 uint8_t magic[REGFI_HBIN_MAGIC_SIZE];
305} REGFI_HBIN;
306
307
308/* Subkey List -- list of key offsets and hashed names for consistency */
309typedef struct
310{
311 /* Virtual offset of NK record or additional subkey list,
312 * depending on this list's type.
313 */
314 uint32_t offset;
315
316 uint32_t hash;
318
319
323typedef struct _regfi_subkey_list
324{
325 /* Real offset of this record's cell in the file */
326 uint32_t offset;
327
328 uint32_t cell_size;
329
330 /* Number of immediate children */
331 uint32_t num_children;
332
333 /* Total number of keys referenced by this list and its children */
334 uint32_t num_keys;
335
336 REGFI_SUBKEY_LIST_ELEM* elements;
337 uint8_t magic[REGFI_CELL_MAGIC_SIZE];
338
339 /* Set if the magic indicates this subkey list points to child subkey lists */
340 bool recursive_type;
342
343
344typedef uint32_t REGFI_VALUE_LIST_ELEM;
348typedef struct _regfi_value_list
349{
350 /* Real offset of this record's cell in the file */
351 uint32_t offset;
352
353 uint32_t cell_size;
354
355 /* Actual number of values referenced by this list.
356 * May differ from parent key's num_values if there were parsing errors.
357 */
358 uint32_t num_values;
359
360 REGFI_VALUE_LIST_ELEM* elements;
362
363
367typedef struct _regfi_classname
368{
370 uint32_t offset;
371
374
379 uint8_t* raw;
380
385 uint16_t size;
387
388
392typedef struct _regfi_data
393{
394 /* XXX: this isn't populated yet. Should set it to start of data cell
395 * or big data cell.
396 */
397 uint32_t offset;
398
400 REGFI_DATA_TYPE type;
401
403 uint32_t size;
404
406 uint8_t* raw;
407
412
419 {
425 uint8_t* none;
426
432 uint8_t* string;
433
440
446 uint8_t* binary;
447
449 uint32_t dword;
450
452 uint32_t dword_be;
453
459 uint8_t* link;
460
468
470 uint64_t qword;
471
472 /* The following are treated as binary currently, but this may change in
473 * the future as the formats become better understood.
474 */
475
482
489
496 } interpreted;
497} REGFI_DATA;
498
499
503typedef struct _regfi_vk
504{
506 uint32_t offset;
507
509 uint32_t cell_size;
510
516 char* name;
517
522 uint8_t* name_raw;
523
525 uint16_t name_length;
526
528 uint32_t hbin_off;
529
534 uint32_t data_size;
535
537 uint32_t data_off;
538
540 REGFI_DATA_TYPE type;
541
543 uint8_t magic[REGFI_CELL_MAGIC_SIZE];
544
546 uint16_t flags;
547
548 /* XXX: A 2-byte field of unknown purpose stored in the VK record */
549 uint16_t unknown1;
550
556
557 /* XXX: deprecated */
558 REGFI_DATA* data;
559
560} REGFI_VK;
561
562
563/* Key Security */
564struct _regfi_sk;
565
569typedef struct _regfi_sk
570{
572 uint32_t offset;
573
575 uint32_t cell_size;
576
579
581 uint32_t hbin_off;
582
584 uint32_t prev_sk_off;
585
587 uint32_t next_sk_off;
588
590 uint32_t ref_count;
591
593 uint32_t desc_size;
594
595 /* XXX: A 2-byte field of unknown purpose */
596 uint16_t unknown_tag;
597
599 uint8_t magic[REGFI_CELL_MAGIC_SIZE];
600} REGFI_SK;
601
602
606typedef struct _regfi_nk
607{
609 uint32_t offset;
610
614 uint32_t cell_size;
615
621
622
628
630 uint16_t flags;
631
633 uint8_t magic[REGFI_CELL_MAGIC_SIZE];
634
636 REGFI_NTTIME mtime;
637
639 uint16_t name_length;
640
643
649 char* name;
650
655 uint8_t* name_raw;
656
658 uint32_t parent_off;
659
662
663 /* XXX: max subkey name * 2 */
664 uint32_t max_bytes_subkeyname;
665
666 /* XXX: max subkey classname length (as if) */
667 uint32_t max_bytes_subkeyclassname;
668
669 /* XXX: max value name * 2 */
670 uint32_t max_bytes_valuename;
671
672 /* XXX: max value data size */
673 uint32_t max_bytes_value;
674
675 /* XXX: Fields of unknown purpose */
676 uint32_t unknown1;
677 uint32_t unknown2;
678 uint32_t unknown3;
679 uint32_t unk_index; /* nigel says run time index ? */
680
682 uint32_t num_subkeys;
683
685 uint32_t subkeys_off;
686
688 uint32_t num_values;
689
691 uint32_t values_off;
692
694 uint32_t sk_off;
695} REGFI_NK;
696
697
698typedef struct _regfi_raw_file
699{
700 int64_t (* seek)(); /* (REGFI_RAW_FILE* self, uint64_t offset, int whence) */
701 ssize_t (* read)(); /* (REGFI_RAW_FILE* self, void* buf, size_t count) */
702
703 uint64_t cur_off;
704 uint64_t size;
705 void* state;
707
708
724typedef struct _regfi_file
725{
726 /* Data parsed from file header */
727 /********************************/
728 uint8_t magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */
729
730 /* These sequence numbers should match if
731 * the hive was properly synced to disk.
732 */
733 uint32_t sequence1;
734 uint32_t sequence2;
735
736 REGFI_NTTIME mtime;
737 uint32_t major_version; /* Set to 1 in all known hives */
738 uint32_t minor_version; /* Set to 3 or 5 in all known hives */
739 uint32_t type; /* XXX: Unverified. Set to 0 in all known hives */
740 uint32_t format; /* XXX: Unverified. Set to 1 in all known hives */
741
742 uint32_t root_cell; /* Offset to root cell in the first (or any?) hbin block */
743 uint32_t last_block; /* Offset to last hbin block in file */
744
745 uint32_t cluster; /* XXX: Unverified. Set to 1 in all known hives */
746
747 /* Matches hive's base file name. Stored in UTF-16LE */
748 uint8_t file_name[REGFI_REGF_NAME_SIZE];
749
750 WINSEC_UUID* rm_id; /* XXX: Unverified. */
751 WINSEC_UUID* log_id; /* XXX: Unverified. */
752 WINSEC_UUID* tm_id; /* XXX: Unverified. */
753 uint32_t flags; /* XXX: Unverified. */
754 uint32_t guid_signature; /* XXX: Unverified. */
755
756 uint32_t checksum; /* Stored checksum from file */
757 uint32_t computed_checksum; /* Our own calculation of the checksum.
758 * (XOR of bytes 0x0000 - 0x01FB) */
759
760 WINSEC_UUID* thaw_tm_id; /* XXX: Unverified. */
761 WINSEC_UUID* thaw_rm_id; /* XXX: Unverified. */
762 WINSEC_UUID* thaw_log_id; /* XXX: Unverified. */
763 uint32_t boot_type; /* XXX: Unverified. */
764 uint32_t boot_recover; /* XXX: Unverified. */
765
766 /* This seems to include random junk. Possibly unsanitized memory left over
767 * from when header block was written. For instance, chunks of nk records
768 * can be found, though often it's all 0s. */
769 uint8_t reserved1[REGFI_REGF_RESERVED1_SIZE];
770
771 /* This is likely reserved and unusued currently. (Should be all 0s.)
772 * Included here for easier access in looking for hidden data
773 * or doing research. */
774 uint8_t reserved2[REGFI_REGF_RESERVED2_SIZE];
775
776
777 /* Run-time information */
778 /************************/
779 /* For sanity checking (not part of the registry header) */
780 uint32_t file_length;
781
784 REGFI_ENCODING string_encoding;
785
786 /* Functions for accessing the file */
787 REGFI_RAW_FILE* cb;
788
789 /* Mutex for all cb access. This is done to prevent one thread from moving
790 * the file offset while another thread is in the middle of a multi-read
791 * parsing transaction */
792 pthread_mutex_t cb_lock;
793
794 /* Metadata about hbins */
795 range_list* hbins;
796
797 /* Multiple read access allowed, write access is exclusive */
798 pthread_rwlock_t hbins_lock;
799
800 /* Small number of SK records cached */
801 lru_cache* sk_cache;
802
803 /* Need exclusive access for LRUs, since lookups make changes */
804 pthread_mutex_t sk_lock;
805
806 /* Limited number of keys cached */
807 lru_cache* nk_cache;
808
809 /* Need exclusive access for LRUs, since lookups make changes */
810 pthread_mutex_t nk_lock;
811
812 /* Needed to protect various talloc calls */
813 pthread_mutex_t mem_lock;
814
815} REGFI_FILE;
816
817
818typedef struct _regfi_iter_position
819{
820 /* key offset */
821 uint32_t offset;
822
823 /* Index of the current subkey */
824 uint32_t cur_subkey;
825
826 /* Index of the current value */
827 uint32_t cur_value;
828
829 /* The number of subkeys of this key */
830 uint32_t num_subkeys;
831
832 /* The number of values of this key */
833 uint32_t num_values;
834
836
837
841typedef struct _regfi_iterator
842{
845
848
851
852
853
857typedef struct _regfi_buffer
858{
859 uint8_t* buf;
860 uint32_t len;
862
863
864
865/******************************************************************************/
872/******************************************************************************/
873
874
875
882_EXPORT()
883const char* regfi_version();
884
885
904_EXPORT()
905REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding);
906
907
928_EXPORT()
930 REGFI_ENCODING output_encoding);
931
932
939_EXPORT()
940void regfi_free(REGFI_FILE* file);
941
942
950_EXPORT()
951char* regfi_log_get_str();
952
953
980_EXPORT()
981bool regfi_log_set_mask(uint16_t mask);
982
983
991_EXPORT()
993
994
1010_EXPORT()
1011void regfi_free_record(REGFI_FILE* file, const void* record);
1012
1013
1037_EXPORT()
1038const void* regfi_reference_record(REGFI_FILE* file, const void* record);
1039
1040
1052_EXPORT()
1053uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key);
1054
1055
1067_EXPORT()
1068uint32_t regfi_fetch_num_values(const REGFI_NK* key);
1069
1070
1081_EXPORT()
1083 const REGFI_NK* key);
1084
1085
1095_EXPORT()
1096const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key);
1097
1098
1113_EXPORT()
1114const REGFI_SK* regfi_next_sk(REGFI_FILE* file, const REGFI_SK* sk);
1115
1116
1131_EXPORT()
1132const REGFI_SK* regfi_prev_sk(REGFI_FILE* file, const REGFI_SK* sk);
1133
1134
1145_EXPORT()
1147 const REGFI_VK* value);
1148
1149
1164_EXPORT()
1165bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key,
1166 const char* name, uint32_t* index);
1167
1168
1183_EXPORT()
1184bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key,
1185 const char* name, uint32_t* index);
1186
1187
1198_EXPORT()
1199const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key,
1200 uint32_t index);
1201
1202
1213_EXPORT()
1214const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key,
1215 uint32_t index);
1216
1217
1218
1228_EXPORT()
1229const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key);
1230
1231
1232/******************************************************************************/
1240/******************************************************************************/
1241
1251_EXPORT()
1253
1254
1263_EXPORT()
1265
1266
1280_EXPORT()
1282
1283
1293_EXPORT()
1295
1296
1305_EXPORT()
1307
1308
1327_EXPORT()
1328bool regfi_iterator_descend(REGFI_ITERATOR* i, const char** path);
1329
1330
1340_EXPORT()
1342
1343
1353_EXPORT()
1355
1356
1367_EXPORT()
1369
1370
1379_EXPORT()
1381
1382
1394_EXPORT()
1395bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name);
1396
1397
1407_EXPORT()
1409
1410
1421_EXPORT()
1423
1424
1433_EXPORT()
1435
1436
1448_EXPORT()
1449bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name);
1450
1451
1467_EXPORT()
1469
1470
1471/******************************************************************************/
1475/******************************************************************************/
1476
1483_EXPORT()
1484REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset,
1485 bool strict);
1486
1487
1494_EXPORT()
1495REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset,
1496 bool strict);
1497
1498
1505_EXPORT()
1506REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
1507 uint32_t num_keys, uint32_t max_size,
1508 bool strict);
1509
1510
1517_EXPORT()
1518REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
1519 uint32_t num_values, uint32_t max_size,
1520 bool strict);
1521
1522
1530_EXPORT()
1531REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
1532 uint32_t length, bool data_in_offset,
1533 bool strict);
1534
1535
1542_EXPORT()
1543REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file, uint32_t offset,
1544 uint32_t data_length,uint32_t cell_length,
1545 range_list* used_ranges,
1546 bool strict);
1547
1548
1556_EXPORT()
1558 uint32_t type, REGFI_DATA* data);
1559
1560
1561
1562/* These are cached so return values don't need to be freed. */
1563
1570_EXPORT()
1571const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset,
1572 bool strict);
1573
1574
1575
1576
1583_EXPORT()
1584const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset);
1585
1586
1587
1588/******************************************************************************/
1592/******************************************************************************/
1593
1594_EXPORT()
1595REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict);
1596
1597_EXPORT()
1598REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset,
1599 bool strict);
1600
1601
1614_EXPORT()
1615REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
1616 uint32_t max_size, bool strict);
1617
1618
1625_EXPORT()
1627 uint32_t max_size, bool strict);
1628
1629
1636_EXPORT()
1637REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
1638 uint32_t max_size, bool strict);
1639
1640
1647_EXPORT()
1648REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset,
1649 uint32_t max_size, bool strict);
1650
1651
1661_EXPORT()
1663
1664
1671_EXPORT()
1672bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset,
1673 uint8_t* hdr, uint32_t hdr_len,
1674 uint32_t* cell_length, bool* unalloc);
1675
1676
1683_EXPORT()
1684uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
1685 uint16_t* name_length,
1686 uint32_t max_size, bool strict);
1687
1688
1695_EXPORT()
1696REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
1697 uint32_t length, bool strict);
1698
1699
1707_EXPORT()
1708REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
1709 uint32_t length, bool strict);
1710
1711
1712/******************************************************************************/
1713/* Private (and undocumented) Functions */
1714/******************************************************************************/
1715int64_t regfi_raw_seek(REGFI_RAW_FILE* self,
1716 uint64_t offset, int whence);
1717ssize_t regfi_raw_read(REGFI_RAW_FILE* self,
1718 void* buf, size_t count);
1719_EXPORT()
1720uint64_t regfi_seek(REGFI_RAW_FILE* file_cb,
1721 uint64_t offset, int whence);
1722_EXPORT()
1723uint32_t regfi_read(REGFI_RAW_FILE* file_cb,
1724 uint8_t* buf, uint32_t* length);
1725
1726_EXPORT()
1727const char* regfi_type_val2str(unsigned int val);
1728_EXPORT()
1729int regfi_type_str2val(const char* str);
1730
1731_EXPORT()
1732char* regfi_get_sacl(WINSEC_DESC* sec_desc);
1733_EXPORT()
1734char* regfi_get_dacl(WINSEC_DESC* sec_desc);
1735_EXPORT()
1736char* regfi_get_owner(WINSEC_DESC* sec_desc);
1737_EXPORT()
1738char* regfi_get_group(WINSEC_DESC* sec_desc);
1739
1740REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
1741 REGFI_SUBKEY_LIST** lists,
1742 bool strict);
1743REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
1744 uint32_t max_size, bool strict,
1745 uint8_t depth_left);
1746void regfi_add_message(REGFI_FILE* file, uint16_t msg_type,
1747 const char* fmt, ...);
1748REGFI_NK* regfi_copy_nk(const REGFI_NK* nk);
1749REGFI_VK* regfi_copy_vk(const REGFI_VK* vk);
1750_EXPORT()
1751int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset);
1752REGFI_BUFFER regfi_conv_charset(const char* input_charset, const char* output_charset,
1753 uint8_t* input, uint32_t input_len);
1754_EXPORT()
1755REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data);
1756
1757/* XXX: move to base API and document */
1758_EXPORT()
1759REGFI_NTTIME regfi_unix2nt_time(time_t t);
1760_EXPORT()
1761double regfi_nt2unix_time(REGFI_NTTIME nt);
1762
1763
1764_EXPORT()
1765void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk, bool strict);
1766_EXPORT()
1767void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk, bool strict);
1768
1769_EXPORT()
1770void regfi_init();
1771
1772
1773#endif /* _REGFI_H */
This file implements macros for machine independent short and int manipulation.
void regfi_free_record(REGFI_FILE *file, const void *record)
Frees a record previously returned by one of the API functions.
Definition regfi.c:1775
bool regfi_log_set_mask(uint16_t mask)
Set the verbosity level of messages generated by the library for the current thread.
Definition regfi.c:194
void regfi_free(REGFI_FILE *file)
Frees a hive's data structures without closing the underlying file.
Definition regfi.c:1720
bool regfi_find_subkey(REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index)
Locates a specific subkey of a given key.
Definition regfi.c:2344
uint32_t regfi_fetch_num_subkeys(const REGFI_NK *key)
Retrieves number of subkeys referenced by this key.
Definition regfi.c:1804
char * regfi_log_get_str()
Get errors, warnings, and/or verbose information relating to processing of the given registry file.
Definition regfi.c:178
const REGFI_CLASSNAME * regfi_fetch_classname(REGFI_FILE *file, const REGFI_NK *key)
Retrieves classname for a given key.
Definition regfi.c:2238
const REGFI_SK * regfi_fetch_sk(REGFI_FILE *file, const REGFI_NK *key)
Returns the SK (security) record referenced by the supplied key.
Definition regfi.c:2052
const REGFI_SK * regfi_next_sk(REGFI_FILE *file, const REGFI_SK *sk)
Returns the next SK (security) record referenced by the supplied SK record.
Definition regfi.c:2064
uint32_t regfi_fetch_num_values(const REGFI_NK *key)
Retrieves number of values referenced by this key.
Definition regfi.c:1827
REGFI_FILE * regfi_alloc(int fd, REGFI_ENCODING output_encoding)
Parses file headers of an already open registry hive file and allocates related structures for furthe...
Definition regfi.c:1546
REGFI_FILE * regfi_alloc_cb(REGFI_RAW_FILE *file_cb, REGFI_ENCODING output_encoding)
Parses file headers returned by supplied callback functions.
Definition regfi.c:1595
const char * regfi_version()
Returns the current regfi library version.
Definition regfi.c:58
const REGFI_NK * regfi_get_parentkey(REGFI_FILE *file, const REGFI_NK *key)
Uses a key's parent_off reference to retrieve it's parent.
Definition regfi.c:2455
const REGFI_NK * regfi_get_rootkey(REGFI_FILE *file)
Fetches a hive's root key.
Definition regfi.c:1731
const REGFI_NK * regfi_get_subkey(REGFI_FILE *file, const REGFI_NK *key, uint32_t index)
Retrieves a specific subkey of a given key.
Definition regfi.c:2422
const REGFI_VK * regfi_get_value(REGFI_FILE *file, const REGFI_NK *key, uint32_t index)
Retrieves a specific value of a given key.
Definition regfi.c:2438
const void * regfi_reference_record(REGFI_FILE *file, const void *record)
Increments reference count on record.
Definition regfi.c:1788
const REGFI_DATA * regfi_fetch_data(REGFI_FILE *file, const REGFI_VK *value)
Retrieves data for a given value.
Definition regfi.c:2298
const REGFI_SK * regfi_prev_sk(REGFI_FILE *file, const REGFI_SK *sk)
Returns the previous SK (security) record referenced by the supplied SK record.
Definition regfi.c:2075
bool regfi_find_value(REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index)
Locates a specific value of a given key.
Definition regfi.c:2385
REGFI_SUBKEY_LIST * regfi_load_subkeylist(REGFI_FILE *file, uint32_t offset, uint32_t num_keys, uint32_t max_size, bool strict)
Loads a logical subkey list in its entirety which may span multiple records.
Definition regfi.c:714
const REGFI_SK * regfi_load_sk(REGFI_FILE *file, uint32_t offset, bool strict)
Loads an "sk" security record at the specified offset.
Definition regfi.c:1437
REGFI_VK * regfi_load_value(REGFI_FILE *file, uint32_t offset, bool strict)
Loads a value at a given file offset alng with associated data structures.
Definition regfi.c:1224
REGFI_BUFFER regfi_load_data(REGFI_FILE *file, uint32_t voffset, uint32_t length, bool data_in_offset, bool strict)
Loads a data record which may be contained in the virtual offset, in a single cell,...
Definition regfi.c:3259
REGFI_VALUE_LIST * regfi_load_valuelist(REGFI_FILE *file, uint32_t offset, uint32_t num_values, uint32_t max_size, bool strict)
Loads a valuelist.
Definition regfi.c:1246
REGFI_NK * regfi_load_key(REGFI_FILE *file, uint32_t offset, bool strict)
Loads a key and associated data structures given a file offset.
Definition regfi.c:1317
bool regfi_interpret_data(REGFI_FILE *file, uint32_t type, REGFI_DATA *data)
Given raw data, attempts to interpret the data based on a specified registry data type.
Definition regfi.c:2491
const REGFI_HBIN * regfi_lookup_hbin(REGFI_FILE *file, uint32_t offset)
Retrieves the HBIN data structure stored at the specified offset.
Definition regfi.c:690
REGFI_BUFFER regfi_load_big_data(REGFI_FILE *file, uint32_t offset, uint32_t data_length, uint32_t cell_length, range_list *used_ranges, bool strict)
Loads the data associated with a big data record at the specified offset.
Definition regfi.c:3625
REGFI_ITERATOR * regfi_iterator_new(REGFI_FILE *file)
Creates a new iterator for the provided registry file.
Definition regfi.c:1850
bool regfi_iterator_descend(REGFI_ITERATOR *i, const char **path)
Traverse down multiple levels in the registry hive.
Definition regfi.c:2014
bool regfi_iterator_up(REGFI_ITERATOR *i)
Traverse up to the current key's parent key.
Definition regfi.c:1955
bool regfi_iterator_to_root(REGFI_ITERATOR *i)
Traverse up to the root key of the hive.
Definition regfi.c:1977
const REGFI_VK * regfi_iterator_cur_value(REGFI_ITERATOR *i)
Returns the currently indexed value.
Definition regfi.c:2160
bool regfi_iterator_down(REGFI_ITERATOR *i)
Traverse deeper into the registry tree at the current subkey.
Definition regfi.c:1912
bool regfi_iterator_next_subkey(REGFI_ITERATOR *i)
Increments the internal subkey index to the next key in the subkey-list.
Definition regfi.c:2116
bool regfi_iterator_first_subkey(REGFI_ITERATOR *i)
Sets the internal subkey index to the first subkey referenced by the current key.
Definition regfi.c:2086
const REGFI_NK ** regfi_iterator_ancestry(REGFI_ITERATOR *i)
Returns the current key and all parent keys as a list of NK records.
Definition regfi.c:2192
bool regfi_iterator_first_value(REGFI_ITERATOR *i)
Sets the internal value index to the first value referenced by the current key.
Definition regfi.c:2151
bool regfi_iterator_next_value(REGFI_ITERATOR *i)
Increments the internal value index to the next value in the value-list.
Definition regfi.c:2181
const REGFI_NK * regfi_iterator_cur_subkey(REGFI_ITERATOR *i)
Returns the currently indexed subkey.
Definition regfi.c:2095
bool regfi_iterator_find_value(REGFI_ITERATOR *i, const char *name)
Searches for a value with a given name under the current key.
Definition regfi.c:2125
const REGFI_NK * regfi_iterator_cur_key(REGFI_ITERATOR *i)
Returns the currently referenced key.
Definition regfi.c:2041
void regfi_iterator_free(REGFI_ITERATOR *i)
Frees a registry file iterator previously created by regfi_iterator_new.
Definition regfi.c:1903
bool regfi_iterator_find_subkey(REGFI_ITERATOR *i, const char *name)
Searches for a subkey with a given name under the current key.
Definition regfi.c:1988
REGFI_BUFFER regfi_parse_data(REGFI_FILE *file, uint32_t offset, uint32_t length, bool strict)
Parses a single-cell data record.
Definition regfi.c:3373
uint8_t * regfi_parse_classname(REGFI_FILE *file, uint32_t offset, uint16_t *name_length, uint32_t max_size, bool strict)
Parses a classname cell.
Definition regfi.c:3061
REGFI_SUBKEY_LIST * regfi_parse_subkeylist(REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict)
Parses a single cell containing a subkey-list record.
Definition regfi.c:795
range_list * regfi_parse_unalloc_cells(REGFI_FILE *file)
Retrieves information on all cells in the registry hive which are currently in the unallocated status...
Definition regfi.c:3757
REGFI_NK * regfi_parse_nk(REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict)
Parses an NK record at the specified offset.
Definition regfi.c:2918
REGFI_BUFFER regfi_parse_little_data(REGFI_FILE *file, uint32_t voffset, uint32_t length, bool strict)
Parses a "little data" record which is stored entirely within the provided virtual offset.
Definition regfi.c:3424
bool regfi_parse_cell(REGFI_RAW_FILE *file_cb, uint32_t offset, uint8_t *hdr, uint32_t hdr_len, uint32_t *cell_length, bool *unalloc)
Helper function to parse a cell.
Definition regfi.c:628
REGFI_SK * regfi_parse_sk(REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict)
Parses an SK (security) record at the specified offset.
Definition regfi.c:974
REGFI_VK * regfi_parse_vk(REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict)
Parses a VK (value) record at the specified offset.
Definition regfi.c:3138
A data structure which approximates a least recently used (LRU) cache.
A data structure which stores a list of address ranges.
General purpose buffer with stored length.
Definition regfi.h:858
Class name structure (used in storing SysKeys)
Definition regfi.h:368
uint32_t offset
Real offset of this record's cell in the file.
Definition regfi.h:370
uint8_t * raw
Represents raw buffer read from classname cell.
Definition regfi.h:379
uint16_t size
Length of the raw data.
Definition regfi.h:385
char * interpreted
As converted to requested REGFI_ENCODING.
Definition regfi.h:373
Data record structure.
Definition regfi.h:393
uint8_t * raw
This is always present, representing the raw data cell contents.
Definition regfi.h:406
uint32_t size
Length of the raw data.
Definition regfi.h:403
uint32_t interpreted_size
Represents the length of the interpreted value.
Definition regfi.h:411
REGFI_DATA_TYPE type
Data type of this data, as indicated by the referencing VK record.
Definition regfi.h:400
Registry hive file data structure.
Definition regfi.h:725
REGFI_ENCODING string_encoding
The encoding that all strings are converted to during interpretation.
Definition regfi.h:784
HBIN block information.
Definition regfi.h:284
uint32_t next_block
Relative offset to next block.
Definition regfi.h:301
uint32_t block_size
Block size of this block Should be a multiple of 4096 (0x1000)
Definition regfi.h:295
uint32_t ref_count
Number of active records pointing to this block (not used currently)
Definition regfi.h:289
uint32_t file_off
Offset of this HBIN in the registry file.
Definition regfi.h:286
uint32_t first_hbin_off
Offset from first hbin block.
Definition regfi.h:292
Registry hive iterator.
Definition regfi.h:842
REGFI_FILE * f
The registry hive this iterator is associated with.
Definition regfi.h:844
void_stack * key_positions
All current parent keys and associated iterator positions.
Definition regfi.h:847
Definition regfi.h:819
Definition regfi.h:270
Key structure.
Definition regfi.h:607
uint32_t cell_size
Actual or estimated length of the cell.
Definition regfi.h:614
uint32_t classname_off
Virtual offset of classname key.
Definition regfi.h:661
uint32_t parent_off
Virtual offset of parent key.
Definition regfi.h:658
uint32_t num_values
Number of values for this key.
Definition regfi.h:688
uint32_t offset
Real offset of this record's cell in the file.
Definition regfi.h:609
uint16_t name_length
Length of name_raw.
Definition regfi.h:639
REGFI_VALUE_LIST * values
Preloaded value-list for this key.
Definition regfi.h:620
uint32_t values_off
Virtual offset of value-list.
Definition regfi.h:691
REGFI_NTTIME mtime
Key's last modification time.
Definition regfi.h:636
uint16_t classname_length
Length of referenced classname.
Definition regfi.h:642
uint8_t * name_raw
The raw key name.
Definition regfi.h:655
uint32_t num_subkeys
Number of subkeys.
Definition regfi.h:682
char * name
The name of this key converted to desired REGFI_ENCODING.
Definition regfi.h:649
REGFI_SUBKEY_LIST * subkeys
Preloaded subkey-list for this key.
Definition regfi.h:627
uint32_t subkeys_off
Virtual offset of subkey-list.
Definition regfi.h:685
uint32_t sk_off
Virtual offset of SK record.
Definition regfi.h:694
uint16_t flags
Key flags.
Definition regfi.h:630
Definition regfi.h:699
Security structure.
Definition regfi.h:570
uint32_t hbin_off
Offset of this record from beginning of this hbin block.
Definition regfi.h:581
uint32_t desc_size
Size of security descriptor (sec_desc)
Definition regfi.h:593
WINSEC_DESC * sec_desc
The stored Windows security descriptor for this SK record.
Definition regfi.h:578
uint32_t prev_sk_off
Offset of the previous SK record in the linked list of SK records.
Definition regfi.h:584
uint32_t cell_size
((start_offset - end_offset) & 0xfffffff8)
Definition regfi.h:575
uint32_t ref_count
Number of keys referencing this SK record.
Definition regfi.h:590
uint32_t offset
Real file offset of this record.
Definition regfi.h:572
uint32_t next_sk_off
Offset of the next SK record in the linked list of SK records.
Definition regfi.h:587
Definition regfi.h:310
Subkey-list structure.
Definition regfi.h:324
Value-list structure.
Definition regfi.h:349
Value structure.
Definition regfi.h:504
uint32_t cell_size
((start_offset - end_offset) & 0xfffffff8)
Definition regfi.h:509
char * name
The name of this value converted to desired REGFI_ENCODING.
Definition regfi.h:516
uint16_t flags
VK record flags.
Definition regfi.h:546
uint32_t data_off
Virtual offset of data cell.
Definition regfi.h:537
REGFI_DATA_TYPE type
Value's data type.
Definition regfi.h:540
uint16_t name_length
Length of name_raw.
Definition regfi.h:525
uint32_t hbin_off
Offset from beginning of this hbin block.
Definition regfi.h:528
uint32_t offset
Real offset of this record's cell in the file.
Definition regfi.h:506
uint32_t data_size
Size of the value's data as reported in the VK record.
Definition regfi.h:534
uint8_t * name_raw
The raw value name.
Definition regfi.h:522
bool data_in_offset
Whether or not the data record is stored in the VK record's data_off field.
Definition regfi.h:555
XXX: document this.
Definition winsec.h:172
XXX: document this.
Definition winsec.h:79
XXX: document this.
Definition lru_cache.h:58
XXX: document this.
Definition range_list.h:52
XXX: document this.
Definition void_stack.h:40
These items represent interpreted versions of the REGFI_DATA::raw field.
Definition regfi.h:419
uint8_t * link
REG_LINK.
Definition regfi.h:459
uint8_t * none
REG_NONE.
Definition regfi.h:425
uint8_t ** multiple_string
REG_MULTI_SZ.
Definition regfi.h:467
uint32_t dword
REG_DWORD.
Definition regfi.h:449
uint8_t * resource_requirements_list
REG_RESOURCE_REQUIREMENTS_LIST.
Definition regfi.h:495
uint64_t qword
REG_QWORD.
Definition regfi.h:470
uint8_t * string
REG_SZ.
Definition regfi.h:432
uint8_t * expand_string
REG_EXPAND_SZ.
Definition regfi.h:439
uint8_t * binary
REG_BINARY.
Definition regfi.h:446
uint32_t dword_be
REG_DWORD_BE.
Definition regfi.h:452
uint8_t * resource_list
REG_RESOURCE_LIST.
Definition regfi.h:481
uint8_t * full_resource_descriptor
REG_FULL_RESOURCE_DESCRIPTOR.
Definition regfi.h:488
This is a very simple implementation of a stack which stores chunks of memory of any type.
A small library for interpreting Windows Security Descriptors.