2 Samba Unix/Linux SMB client utility editreg.c
3 Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
4 Copyright (C) 2003 Jelmer Vernooij (conversion to popt)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
20 /*************************************************************************
22 A utility to edit a Windows NT/2K etc registry file.
24 Many of the ideas in here come from other people and software.
25 I first looked in Wine in misc/registry.c and was also influenced by
26 http://www.wednesday.demon.co.uk/dosreg.html
28 Which seems to contain comments from someone else. I reproduce them here
29 incase the site above disappears. It actually comes from
30 http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt.
32 The goal here is to read the registry into memory, manipulate it, and then
33 write it out if it was changed by any actions of the user.
35 The windows NT registry has 2 different blocks, where one can occur many
41 "regf" is obviosly the abbreviation for "Registry file". "regf" is the
42 signature of the header-block which is always 4kb in size, although only
43 the first 64 bytes seem to be used and a checksum is calculated over
44 the first 0x200 bytes only!
47 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572
48 0x00000004 D-Word ???? //see struct REGF
49 0x00000008 D-Word ???? Always the same value as at 0x00000004
50 0x0000000C Q-Word last modify date in WinNT date-format
55 0x00000024 D-Word Offset of 1st key record
56 0x00000028 D-Word Size of the data-blocks (Filesize-4kb)
58 0x000001FC D-Word Sum of all D-Words from 0x00000000 to
59 0x000001FB //XOR of all words. Nigel
61 I have analyzed more registry files (from multiple machines running
62 NT 4.0 german version) and could not find an explanation for the values
63 marked with ???? the rest of the first 4kb page is not important...
67 I don't know what "hbin" stands for, but this block is always a multiple
70 Inside these hbin-blocks the different records are placed. The memory-
71 management looks like a C-compiler heap management to me...
76 0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268
77 0x0004 D-Word Offset from the 1st hbin-Block
78 0x0008 D-Word Offset to the next hbin-Block
79 0x001C D-Word Block-size
81 The values in 0x0008 and 0x001C should be the same, so I don't know
82 if they are correct or swapped...
84 From offset 0x0020 inside a hbin-block data is stored with the following
88 0x0000 D-Word Data-block size //this size must be a
92 If the size field is negative (bit 31 set), the corresponding block
93 is free and has a size of -blocksize!
95 That does not seem to be true. All block lengths seem to be negative! (Richard Sharpe)
97 The data is stored as one record per block. Block size is a multiple
98 of 4 and the last block reaches the next hbin-block, leaving no room.
100 Records in the hbin-blocks
101 ==========================
105 The nk-record can be treated as a kombination of tree-record and
106 key-record of the win 95 registry.
110 The lf-record is the counterpart to the RGKN-record (the
115 The vk-record consists information to a single value.
119 sk (? Security Key ?) is the ACL of the registry.
123 The value-lists contain information about which values are inside a
124 sub-key and don't have a header.
128 The datas of the registry are (like the value-list) stored without a
131 All offset-values are relative to the first hbin-block and point to the
132 block-size field of the record-entry. to get the file offset, you have to add
133 the header size (4kb) and the size field (4 bytes)...
138 0x0000 Word ID: ASCII-"nk" = 0x6B6E
139 0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel
140 0x0004 Q-Word write-date/time in windows nt notation
141 0x0010 D-Word Offset of Owner/Parent key
142 0x0014 D-Word number of sub-Keys
143 0x001C D-Word Offset of the sub-key lf-Records
144 0x0024 D-Word number of values
145 0x0028 D-Word Offset of the Value-List
146 0x002C D-Word Offset of the sk-Record
148 0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel
149 0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel
150 0x0048 Word name-length
151 0x004A Word class-name length
157 0x0000 D-Word Offset 1st Value
158 0x0004 D-Word Offset 2nd Value
159 0x???? D-Word Offset nth Value
161 To determine the number of values, you have to look at the owner-nk-record!
166 0x0000 Word ID: ASCII-"vk" = 0x6B76
167 0x0002 Word name length
168 0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel
169 0x0008 D-Word Offset of Data
170 0x000C D-Word Type of value
172 0x0012 Word Unused (data-trash)
175 If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default)
177 If the data-size is lower 5, the data-offset value is used to store the data itself!
182 0x0001 RegSZ: character string (in UNICODE!)
183 0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!)
184 0x0003 RegBin: raw-binary value
185 0x0004 RegDWord: Dword
186 0x0007 RegMultiSZ: multiple strings, seperated with 0
192 0x0000 Word ID: ASCII-"lf" = 0x666C
193 0x0002 Word number of keys
194 0x0004 ???? Hash-Records
199 0x0000 D-Word Offset of corresponding "nk"-Record
200 0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0's. Case sensitiv!
202 Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the
203 key-name you have to change the hash-value too!
205 //These hashrecords must be sorted low to high within the lf record. Nigel.
209 (due to the complexity of the SAM-info, not clear jet)
210 (This is just a security descriptor in the data. R Sharpe.)
214 0x0000 Word ID: ASCII-"sk" = 0x6B73
216 0x0004 D-Word Offset of previous "sk"-Record
217 0x0008 D-Word Offset of next "sk"-Record
218 0x000C D-Word usage-counter
219 0x0010 D-Word Size of "sk"-record in bytes
221 relative security desciptor. Nigel
222 ???? ???? Security and auditing settings...
225 The usage counter counts the number of references to this
226 "sk"-record. You can use one "sk"-record for the entire registry!
228 Windows nt date/time format
229 ===========================
230 The time-format is a 64-bit integer which is incremented every
231 0,0000001 seconds by 1 (I don't know how accurate it realy is!)
232 It starts with 0 at the 1st of january 1601 0:00! All values are
233 stored in GMT time! The time-zone is important to get the real
236 Common values for win95 and win-nt
237 ==================================
238 Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF).
239 If a value has no name (length=0, flag(bit 0)=0), it is treated as the
241 If a value has no data (length=0), it is displayed as empty.
243 simplyfied win-3.?? registry:
244 =============================
247 | next rec. |---+ +----->+------------+
248 | first sub | | | | Usage cnt. |
249 | name | | +-->+------------+ | | length |
250 | value | | | | next rec. | | | text |------->+-------+
251 +-----------+ | | | name rec. |--+ +------------+ | xxxxx |
252 +------------+ | | value rec. |-------->+------------+ +-------+
253 v | +------------+ | Usage cnt. |
254 +-----------+ | | length |
255 | next rec. | | | text |------->+-------+
256 | first sub |------+ +------------+ | xxxxx |
261 Greatly simplyfied structure of the nt-registry:
262 ================================================
264 +---------------------------------------------------------------+
267 +---------+ +---------->+-----------+ +----->+---------+ |
268 | "nk" | | | lf-rec. | | | nk-rec. | |
269 | ID | | | # of keys | | | parent |---+
270 | Date | | | 1st key |--+ | .... |
271 | parent | | +-----------+ +---------+
273 | values |--------------------->+----------+
274 | SK-rec. |---------------+ | 1. value |--> +----------+
275 | class |--+ | +----------+ | vk-rec. |
276 +---------+ | | | .... |
277 v | | data |--> +-------+
278 +------------+ | +----------+ | xxxxx |
279 | Class name | | +-------+
282 +---------+ +---------+
283 +----->| next sk |--->| Next sk |--+
284 | +---| prev sk |<---| prev sk | |
285 | | | .... | | ... | |
286 | | +---------+ +---------+ |
289 | +--------------------+ |
290 +----------------------------------+
292 ---------------------------------------------------------------------------
294 Hope this helps.... (Although it was "fun" for me to uncover this things,
295 it took me several sleepless nights ;)
299 *************************************************************************/
305 #include <sys/types.h>
306 #include <sys/stat.h>
308 #include <sys/mman.h>
313 static int verbose = 0;
316 * These definitions are for the in-memory registry structure.
317 * It is a tree structure that mimics what you see with tools like regedit
321 * DateTime struct for Windows
324 typedef struct date_time_s {
325 unsigned int low, high;
329 * Definition of a Key. It has a name, classname, date/time last modified,
330 * sub-keys, values, and a security descriptor
333 #define REG_ROOT_KEY 1
334 #define REG_SUB_KEY 2
335 #define REG_SYM_LINK 3
337 typedef struct reg_key_s {
338 char *name; /* Name of the key */
340 int type; /* One of REG_ROOT_KEY or REG_SUB_KEY */
341 NTTIME last_mod; /* Time last modified */
342 struct reg_key_s *owner;
343 struct key_list_s *sub_keys;
344 struct val_list_s *values;
345 struct key_sec_desc_s *security;
349 * The KEY_LIST struct lists sub-keys.
352 typedef struct key_list_s {
357 typedef struct val_key_s {
362 void *data_blk; /* Might want a separate block */
365 typedef struct val_list_s {
371 #define MAXSUBAUTHS 15
374 typedef struct dom_sid_s {
375 unsigned char ver, auths;
376 unsigned char auth[6];
377 unsigned int sub_auths[MAXSUBAUTHS];
380 typedef struct ace_struct_s {
381 unsigned char type, flags;
382 unsigned int perms; /* Perhaps a better def is in order */
386 typedef struct acl_struct_s {
387 unsigned short rev, refcnt;
388 unsigned short num_aces;
392 typedef struct sec_desc_s {
393 unsigned int rev, type;
394 DOM_SID *owner, *group;
398 #define SEC_DESC_NON 0
399 #define SEC_DESC_RES 1
400 #define SEC_DESC_OCU 2
402 typedef struct key_sec_desc_s {
403 struct key_sec_desc_s *prev, *next;
411 * An API for accessing/creating/destroying items above
415 * Iterate over the keys, depth first, calling a function for each key
416 * and indicating if it is terminal or non-terminal and if it has values.
418 * In addition, for each value in the list, call a value list function
422 * There should eventually be one to deal with security keys as well
425 typedef int (*key_print_f)(const char *path, char *key_name, char *class_name,
426 int root, int terminal, int values);
428 typedef int (*val_print_f)(const char *path, char *val_name, int val_type,
429 int data_len, void *data_blk, int terminal,
430 int first, int last);
432 typedef int (*sec_print_f)(SEC_DESC *sec_desc);
434 typedef struct regf_struct_s REGF;
436 int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, const char *path,
437 key_print_f key_print, sec_print_f sec_print,
438 val_print_f val_print);
440 int nt_val_list_iterator(REGF *regf, VAL_LIST *val_list, int bf, char *path,
441 int terminal, val_print_f val_print)
445 if (!val_list) return 1;
447 if (!val_print) return 1;
449 for (i=0; i<val_list->val_count; i++) {
450 if (!val_print(path, val_list->vals[i]->name, val_list->vals[i]->data_type,
451 val_list->vals[i]->data_len, val_list->vals[i]->data_blk,
454 (i == val_list->val_count))) {
464 int nt_key_list_iterator(REGF *regf, KEY_LIST *key_list, int bf,
466 key_print_f key_print, sec_print_f sec_print,
467 val_print_f val_print)
471 if (!key_list) return 1;
473 for (i=0; i< key_list->key_count; i++) {
474 if (!nt_key_iterator(regf, key_list->keys[i], bf, path, key_print,
475 sec_print, val_print)) {
482 int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, const char *path,
483 key_print_f key_print, sec_print_f sec_print,
484 val_print_f val_print)
486 int path_len = strlen(path);
489 if (!regf || !key_tree)
492 /* List the key first, then the values, then the sub-keys */
496 if (!(*key_print)(path, key_tree->name,
497 key_tree->class_name,
498 (key_tree->type == REG_ROOT_KEY),
499 (key_tree->sub_keys == NULL),
500 (key_tree->values?(key_tree->values->val_count):0)))
505 * If we have a security print routine, call it
506 * If the security print routine returns false, stop.
509 if (key_tree->security && !(*sec_print)(key_tree->security->sec_desc))
513 new_path = (char *)malloc(path_len + 1 + strlen(key_tree->name) + 1);
514 if (!new_path) return 0; /* Errors? */
516 strcat(new_path, path);
517 strcat(new_path, "\\");
518 strcat(new_path, key_tree->name);
521 * Now, iterate through the values in the val_list
524 if (key_tree->values &&
525 !nt_val_list_iterator(regf, key_tree->values, bf, new_path,
526 (key_tree->values!=NULL),
534 * Now, iterate through the keys in the key list
537 if (key_tree->sub_keys &&
538 !nt_key_list_iterator(regf, key_tree->sub_keys, bf, new_path, key_print,
539 sec_print, val_print)) {
548 /* Make, delete keys */
550 int nt_delete_val_key(VAL_KEY *val_key)
554 if (val_key->data_blk) free(val_key->data_blk);
560 int nt_delete_val_list(VAL_LIST *vl)
565 for (i=0; i<vl->val_count; i++)
566 nt_delete_val_key(vl->vals[i]);
572 int nt_delete_reg_key(REG_KEY *key);
573 int nt_delete_key_list(KEY_LIST *key_list)
578 for (i=0; i<key_list->key_count; i++)
579 nt_delete_reg_key(key_list->keys[i]);
585 int nt_delete_sid(DOM_SID *sid)
593 int nt_delete_ace(ACE *ace)
597 nt_delete_sid(ace->trustee);
604 int nt_delete_acl(ACL *acl)
610 for (i=0; i<acl->num_aces; i++)
611 nt_delete_ace(acl->aces[i]);
618 int nt_delete_sec_desc(SEC_DESC *sec_desc)
623 nt_delete_sid(sec_desc->owner);
624 nt_delete_sid(sec_desc->group);
625 nt_delete_acl(sec_desc->sacl);
626 nt_delete_acl(sec_desc->dacl);
633 int nt_delete_key_sec_desc(KEY_SEC_DESC *key_sec_desc)
637 key_sec_desc->ref_cnt--;
638 if (key_sec_desc->ref_cnt<=0) {
640 * There should always be a next and prev, even if they point to us
642 key_sec_desc->next->prev = key_sec_desc->prev;
643 key_sec_desc->prev->next = key_sec_desc->next;
644 nt_delete_sec_desc(key_sec_desc->sec_desc);
650 int nt_delete_reg_key(REG_KEY *key)
654 if (key->name) free(key->name);
655 if (key->class_name) free(key->class_name);
658 * Do not delete the owner ...
661 if (key->sub_keys) nt_delete_key_list(key->sub_keys);
662 if (key->values) nt_delete_val_list(key->values);
663 if (key->security) nt_delete_key_sec_desc(key->security);
670 * Create/delete key lists and add delete keys to/from a list, count the keys
675 * Create/delete value lists, add/delete values, count them
680 * Create/delete security descriptors, add/delete SIDS, count SIDS, etc.
681 * We reference count the security descriptors. Any new reference increments
682 * the ref count. If we modify an SD, we copy the old one, dec the ref count
683 * and make the change. We also want to be able to check for equality so
684 * we can reduce the number of SDs in use.
688 * Code to parse registry specification from command line or files
691 * [cmd:]key:type:value
693 * cmd = a|d|c|add|delete|change|as|ds|cs
699 * Load and unload a registry file.
701 * Load, loads it into memory as a tree, while unload sealizes/flattens it
705 * Get the starting record for NT Registry file
708 /* A map of sk offsets in the regf to KEY_SEC_DESCs for quick lookup etc */
709 typedef struct sk_map_s {
711 KEY_SEC_DESC *key_sec_desc;
715 * Where we keep all the regf stuff for one registry.
716 * This is the structure that we use to tie the in memory tree etc
717 * together. By keeping separate structs, we can operate on different
718 * registries at the same time.
719 * Currently, the SK_MAP is an array of mapping structure.
720 * Since we only need this on input and output, we fill in the structure
721 * as we go on input. On output, we know how many SK items we have, so
722 * we can allocate the structure as we need to.
723 * If you add stuff here that is dynamically allocated, add the
724 * appropriate free statements below.
727 #define REGF_REGTYPE_NONE 0
728 #define REGF_REGTYPE_NT 1
729 #define REGF_REGTYPE_W9X 2
731 #define TTTONTTIME(r, t1, t2) (r)->last_mod_time.low = (t1); \
732 (r)->last_mod_time.high = (t2);
734 #define REGF_HDR_BLKSIZ 0x1000
736 struct regf_struct_s {
738 char *regfile_name, *outfile_name;
743 NTTIME last_mod_time;
744 REG_KEY *root; /* Root of the tree for this file */
745 int sk_count, sk_map_size;
750 * Structures for dealing with the on-disk format of the registry
753 #define IVAL(buf) ((unsigned int) \
754 (unsigned int)*((unsigned char *)(buf)+3)<<24| \
755 (unsigned int)*((unsigned char *)(buf)+2)<<16| \
756 (unsigned int)*((unsigned char *)(buf)+1)<<8| \
757 (unsigned int)*((unsigned char *)(buf)+0))
759 #define SVAL(buf) ((unsigned short) \
760 (unsigned short)*((unsigned char *)(buf)+1)<<8| \
761 (unsigned short)*((unsigned char *)(buf)+0))
763 #define CVAL(buf) ((unsigned char)*((unsigned char *)(buf)))
765 #define OFF(f) ((f) + REGF_HDR_BLKSIZ + 4)
766 #define LOCN(base, f) ((base) + OFF(f))
769 * All of the structures below actually have a four-byte lenght before them
770 * which always seems to be negative. The following macro retrieves that
774 #define BLK_SIZE(b) ((int)*(int *)(((int *)b)-1))
776 typedef unsigned int DWORD;
777 typedef unsigned short WORD;
779 #define REG_REGF_ID 0x66676572
781 typedef struct regf_block {
782 DWORD REGF_ID; /* regf */
790 DWORD first_key; /* offset */
791 unsigned int dblk_size;
792 DWORD uk7[116]; /* 1 */
796 typedef struct hbin_sub_struct {
801 #define REG_HBIN_ID 0x6E696268
803 typedef struct hbin_struct {
804 DWORD HBIN_ID; /* hbin */
812 HBIN_SUB_HDR hbin_sub_hdr;
815 #define REG_NK_ID 0x6B6E
817 typedef struct nk_struct {
835 char key_nam[1]; /* Actual length determined by nam_len */
838 #define REG_SK_ID 0x6B73
840 typedef struct sk_struct {
850 typedef struct ace_struct {
853 unsigned short length;
858 typedef struct acl_struct {
862 REG_ACE *aces; /* One or more ACEs */
865 typedef struct sec_desc_rec {
874 typedef struct hash_struct {
879 #define REG_LF_ID 0x666C
881 typedef struct lf_struct {
884 struct hash_struct hr[1]; /* Array of hash records, depending on key_count */
887 typedef DWORD VL_TYPE[1]; /* Value list is an array of vk rec offsets */
889 #define REG_VK_ID 0x6B76
891 typedef struct vk_struct {
894 DWORD dat_len; /* If top-bit set, offset contains the data */
897 WORD flag; /* =1, has name, else no name (=Default). */
899 char dat_name[1]; /* Name starts here ... */
902 #define REG_TYPE_REGSZ 1
903 #define REG_TYPE_EXPANDSZ 2
904 #define REG_TYPE_BIN 3
905 #define REG_TYPE_DWORD 4
906 #define REG_TYPE_MULTISZ 7
908 typedef struct _val_str {
913 const VAL_STR reg_type_names[] = {
915 { 2, "REG_EXPAND_SZ" },
918 { 7, "REG_MULTI_SZ" },
922 const char *val_to_str(unsigned int val, const VAL_STR *val_array)
926 if (!val_array) return NULL;
928 while (val_array[i].val && val_array[i].str) {
930 if (val_array[i].val == val) return val_array[i].str;
940 * Convert from UniCode to Ascii ... Does not take into account other lang
941 * Restrict by ascii_max if > 0
943 int uni_to_ascii(unsigned char *uni, unsigned char *ascii, int ascii_max,
948 while (i < ascii_max && !(!uni[i*2] && !uni[i*2+1])) {
949 if (uni_max > 0 && (i*2) >= uni_max) break;
961 * Convert a data value to a string for display
963 int data_to_ascii(unsigned char *datap, int len, int type, char *ascii, int ascii_max)
965 unsigned char *asciip;
970 fprintf(stderr, "Len: %d\n", len);
971 return uni_to_ascii(datap, ascii, len, ascii_max);
974 case REG_TYPE_EXPANDSZ:
975 return uni_to_ascii(datap, ascii, len, ascii_max);
980 for (i=0; (i<len)&&(i+1)*3<ascii_max; i++) {
981 int str_rem = ascii_max - ((int)asciip - (int)ascii);
982 asciip += snprintf(asciip, str_rem, "%02x", *(unsigned char *)(datap+i));
983 if (i < len && str_rem > 0)
984 *asciip = ' '; asciip++;
987 return ((int)asciip - (int)ascii);
991 if (*(int *)datap == 0)
992 return snprintf(ascii, ascii_max, "0");
994 return snprintf(ascii, ascii_max, "0x%x", *(int *)datap);
997 case REG_TYPE_MULTISZ:
1010 REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size);
1012 int nt_set_regf_input_file(REGF *regf, char *filename)
1014 return ((regf->regfile_name = strdup(filename)) != NULL);
1017 int nt_set_regf_output_file(REGF *regf, char *filename)
1019 return ((regf->outfile_name = strdup(filename)) != NULL);
1022 /* Create a regf structure and init it */
1024 REGF *nt_create_regf(void)
1026 REGF *tmp = (REGF *)malloc(sizeof(REGF));
1027 if (!tmp) return tmp;
1028 bzero(tmp, sizeof(REGF));
1032 /* Free all the bits and pieces ... Assumes regf was malloc'd */
1033 /* If you add stuff to REGF, add the relevant free bits here */
1034 int nt_free_regf(REGF *regf)
1036 if (!regf) return 0;
1038 if (regf->regfile_name) free(regf->regfile_name);
1039 if (regf->outfile_name) free(regf->outfile_name);
1041 /* Free the mmap'd area */
1043 if (regf->base) munmap(regf->base, regf->sbuf.st_size);
1045 close(regf->fd); /* Ignore the error :-) */
1047 nt_delete_reg_key(regf->root); /* Free the tree */
1049 regf->sk_count = regf->sk_map_size = 0;
1056 /* Get the header of the registry. Return a pointer to the structure
1057 * If the mmap'd area has not been allocated, then mmap the input file
1059 REGF_HDR *nt_get_regf_hdr(REGF *regf)
1062 return NULL; /* What about errors */
1064 if (!regf->regfile_name)
1065 return NULL; /* What about errors */
1067 if (!regf->base) { /* Try to mmap etc the file */
1069 if ((regf->fd = open(regf->regfile_name, O_RDONLY, 0000)) <0) {
1070 return NULL; /* What about errors? */
1073 if (fstat(regf->fd, ®f->sbuf) < 0) {
1077 regf->base = mmap(0, regf->sbuf.st_size, PROT_READ, MAP_SHARED, regf->fd, 0);
1079 if ((int)regf->base == 1) {
1080 fprintf(stderr, "Could not mmap file: %s, %s\n", regf->regfile_name,
1087 * At this point, regf->base != NULL, and we should be able to read the
1091 assert(regf->base != NULL);
1093 return (REGF_HDR *)regf->base;
1097 * Validate a regf header
1098 * For now, do nothing, but we should check the checksum
1100 int valid_regf_hdr(REGF_HDR *regf_hdr)
1102 if (!regf_hdr) return 0;
1108 * Process an SK header ...
1109 * Every time we see a new one, add it to the map. Otherwise, just look it up.
1110 * We will do a simple linear search for the moment, since many KEYs have the
1111 * same security descriptor.
1112 * We allocate the map in increments of 10 entries.
1116 * Create a new entry in the map, and increase the size of the map if needed
1119 SK_MAP *alloc_sk_map_entry(REGF *regf, KEY_SEC_DESC *tmp, int sk_off)
1121 if (!regf->sk_map) { /* Allocate a block of 10 */
1122 regf->sk_map = (SK_MAP *)malloc(sizeof(SK_MAP) * 10);
1123 if (!regf->sk_map) {
1127 regf->sk_map_size = 10;
1129 (regf->sk_map)[0].sk_off = sk_off;
1130 (regf->sk_map)[0].key_sec_desc = tmp;
1132 else { /* Simply allocate a new slot, unless we have to expand the list */
1133 int ndx = regf->sk_count;
1134 if (regf->sk_count >= regf->sk_map_size) {
1135 regf->sk_map = (SK_MAP *)realloc(regf->sk_map,
1136 (regf->sk_map_size + 10)*sizeof(SK_MAP));
1137 if (!regf->sk_map) {
1142 * ndx already points at the first entry of the new block
1144 regf->sk_map_size += 10;
1146 (regf->sk_map)[ndx].sk_off = sk_off;
1147 (regf->sk_map)[ndx].key_sec_desc = tmp;
1150 return regf->sk_map;
1154 * Search for a KEY_SEC_DESC in the sk_map, but dont create one if not
1158 KEY_SEC_DESC *lookup_sec_key(SK_MAP *sk_map, int count, int sk_off)
1162 if (!sk_map) return NULL;
1164 for (i = 0; i < count; i++) {
1166 if (sk_map[i].sk_off == sk_off)
1167 return sk_map[i].key_sec_desc;
1176 * Allocate a KEY_SEC_DESC if we can't find one in the map
1179 KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off)
1181 KEY_SEC_DESC *tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off);
1186 else { /* Allocate a new one */
1187 tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC));
1191 tmp->state = SEC_DESC_RES;
1192 if (!alloc_sk_map_entry(regf, tmp, sk_off)) {
1200 * Allocate storage and duplicate a SID
1201 * We could allocate the SID to be only the size needed, but I am too lazy.
1203 DOM_SID *dup_sid(DOM_SID *sid)
1205 DOM_SID *tmp = (DOM_SID *)malloc(sizeof(DOM_SID));
1208 if (!tmp) return NULL;
1209 tmp->ver = sid->ver;
1210 tmp->auths = sid->auths;
1211 for (i=0; i<6; i++) {
1212 tmp->auth[i] = sid->auth[i];
1214 for (i=0; i<tmp->auths&&i<MAXSUBAUTHS; i++) {
1215 tmp->sub_auths[i] = sid->sub_auths[i];
1221 * Allocate space for an ACE and duplicate the registry encoded one passed in
1223 ACE *dup_ace(REG_ACE *ace)
1227 tmp = (ACE *)malloc(sizeof(ACE));
1229 if (!tmp) return NULL;
1231 tmp->type = CVAL(&ace->type);
1232 tmp->flags = CVAL(&ace->flags);
1233 tmp->perms = IVAL(&ace->perms);
1234 tmp->trustee = dup_sid(&ace->trustee);
1239 * Allocate space for an ACL and duplicate the registry encoded one passed in
1241 ACL *dup_acl(REG_ACL *acl)
1247 num_aces = IVAL(&acl->num_aces);
1249 tmp = (ACL *)malloc(sizeof(ACL) + (num_aces - 1)*sizeof(ACE *));
1250 if (!tmp) return NULL;
1252 tmp->num_aces = num_aces;
1254 tmp->rev = SVAL(&acl->rev);
1255 ace = (REG_ACE *)&acl->aces;
1256 for (i=0; i<num_aces; i++) {
1257 tmp->aces[i] = dup_ace(ace);
1258 ace = (REG_ACE *)((char *)ace + SVAL(&ace->length));
1259 /* XXX: FIXME, should handle malloc errors */
1265 SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc)
1267 SEC_DESC *tmp = NULL;
1269 tmp = (SEC_DESC *)malloc(sizeof(SEC_DESC));
1275 tmp->rev = SVAL(&sec_desc->rev);
1276 tmp->type = SVAL(&sec_desc->type);
1277 tmp->owner = dup_sid((DOM_SID *)((char *)sec_desc + IVAL(&sec_desc->owner_off)));
1282 tmp->group = dup_sid((DOM_SID *)((char *)sec_desc + IVAL(&sec_desc->group_off)));
1288 /* Now pick up the SACL and DACL */
1290 if (sec_desc->sacl_off)
1291 tmp->sacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->sacl_off)));
1295 if (sec_desc->dacl_off)
1296 tmp->dacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->dacl_off)));
1303 KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size)
1305 KEY_SEC_DESC *tmp = NULL;
1306 int sk_next_off, sk_prev_off, sk_size;
1307 REG_SEC_DESC *sec_desc;
1309 if (!sk_hdr) return NULL;
1311 if (SVAL(&sk_hdr->SK_ID) != REG_SK_ID) {
1312 fprintf(stderr, "Unrecognized SK Header ID: %08X, %s\n", (int)sk_hdr,
1313 regf->regfile_name);
1317 if (-size < (sk_size = IVAL(&sk_hdr->rec_size))) {
1318 fprintf(stderr, "Incorrect SK record size: %d vs %d. %s\n",
1319 -size, sk_size, regf->regfile_name);
1324 * Now, we need to look up the SK Record in the map, and return it
1325 * Since the map contains the SK_OFF mapped to KEY_SEC_DESC, we can
1330 ((tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off)) != NULL)
1331 && (tmp->state == SEC_DESC_OCU)) {
1336 /* Here, we have an item in the map that has been reserved, or tmp==NULL. */
1338 assert(tmp == NULL || (tmp && tmp->state != SEC_DESC_NON));
1341 * Now, allocate a KEY_SEC_DESC, and parse the structure here, and add the
1342 * new KEY_SEC_DESC to the mapping structure, since the offset supplied is
1343 * the actual offset of structure. The same offset will be used by all
1344 * all future references to this structure
1345 * We chould put all this unpleasantness in a function.
1349 tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC));
1350 if (!tmp) return NULL;
1351 bzero(tmp, sizeof(KEY_SEC_DESC));
1354 * Allocate an entry in the SK_MAP ...
1355 * We don't need to free tmp, because that is done for us if the
1356 * sm_map entry can't be expanded when we need more space in the map.
1359 if (!alloc_sk_map_entry(regf, tmp, sk_off)) {
1365 tmp->state = SEC_DESC_OCU;
1368 * Now, process the actual sec desc and plug the values in
1371 sec_desc = (REG_SEC_DESC *)&sk_hdr->sec_desc[0];
1372 tmp->sec_desc = process_sec_desc(regf, sec_desc);
1375 * Now forward and back links. Here we allocate an entry in the sk_map
1376 * if it does not exist, and mark it reserved
1379 sk_prev_off = IVAL(&sk_hdr->prev_off);
1380 tmp->prev = lookup_create_sec_key(regf, regf->sk_map, sk_prev_off);
1381 assert(tmp->prev != NULL);
1382 sk_next_off = IVAL(&sk_hdr->next_off);
1383 tmp->next = lookup_create_sec_key(regf, regf->sk_map, sk_next_off);
1384 assert(tmp->next != NULL);
1390 * Process a VK header and return a value
1392 VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size)
1394 char val_name[1024];
1395 int nam_len, dat_len, flag, dat_type, dat_off, vk_id;
1396 const char *val_type;
1397 VAL_KEY *tmp = NULL;
1399 if (!vk_hdr) return NULL;
1401 if ((vk_id = SVAL(&vk_hdr->VK_ID)) != REG_VK_ID) {
1402 fprintf(stderr, "Unrecognized VK header ID: %0X, block: %0X, %s\n",
1403 vk_id, (int)vk_hdr, regf->regfile_name);
1407 nam_len = SVAL(&vk_hdr->nam_len);
1408 val_name[nam_len] = '\0';
1409 flag = SVAL(&vk_hdr->flag);
1410 dat_type = IVAL(&vk_hdr->dat_type);
1411 dat_len = IVAL(&vk_hdr->dat_len); /* If top bit, offset contains data */
1412 dat_off = IVAL(&vk_hdr->dat_off);
1414 tmp = (VAL_KEY *)malloc(sizeof(VAL_KEY));
1418 bzero(tmp, sizeof(VAL_KEY));
1419 tmp->has_name = flag;
1420 tmp->data_type = dat_type;
1423 strncpy(val_name, vk_hdr->dat_name, nam_len);
1424 tmp->name = strdup(val_name);
1430 strncpy(val_name, "<No Name>", 10);
1433 * Allocate space and copy the data as a BLOB
1438 char *dtmp = (char *)malloc(dat_len&0x7FFFFFFF);
1444 tmp->data_blk = dtmp;
1446 if ((dat_len&0x80000000) == 0) { /* The data is pointed to by the offset */
1447 char *dat_ptr = LOCN(regf->base, dat_off);
1448 bcopy(dat_ptr, dtmp, dat_len);
1450 else { /* The data is in the offset */
1451 dat_len = dat_len & 0x7FFFFFFF;
1452 bcopy(&dat_off, dtmp, dat_len);
1455 tmp->data_len = dat_len;
1458 val_type = val_to_str(dat_type, reg_type_names);
1461 * We need to save the data area as well
1464 if (verbose) fprintf(stdout, " %s : %s : \n", val_name, val_type);
1469 /* XXX: FIXME, free the partially allocated struct */
1475 * Process a VL Header and return a list of values
1477 VAL_LIST *process_vl(REGF *regf, VL_TYPE vl, int count, int size)
1481 VAL_LIST *tmp = NULL;
1483 if (!vl) return NULL;
1485 if (-size < (count+1)*sizeof(int)){
1486 fprintf(stderr, "Error in VL header format. Size less than space required. %d\n", -size);
1490 tmp = (VAL_LIST *)malloc(sizeof(VAL_LIST) + (count - 1) * sizeof(VAL_KEY *));
1495 for (i=0; i<count; i++) {
1496 vk_off = IVAL(&vl[i]);
1497 vk_hdr = (VK_HDR *)LOCN(regf->base, vk_off);
1498 tmp->vals[i] = process_vk(regf, vk_hdr, BLK_SIZE(vk_hdr));
1504 tmp->val_count = count;
1509 /* XXX: FIXME, free the partially allocated structure */
1514 * Process an LF Header and return a list of sub-keys
1516 KEY_LIST *process_lf(REGF *regf, LF_HDR *lf_hdr, int size)
1518 int count, i, nk_off;
1522 if (!lf_hdr) return NULL;
1524 if ((lf_id = SVAL(&lf_hdr->LF_ID)) != REG_LF_ID) {
1525 fprintf(stderr, "Unrecognized LF Header format: %0X, Block: %0X, %s.\n",
1526 lf_id, (int)lf_hdr, regf->regfile_name);
1532 count = SVAL(&lf_hdr->key_count);
1534 if (count <= 0) return NULL;
1536 /* Now, we should allocate a KEY_LIST struct and fill it in ... */
1538 tmp = (KEY_LIST *)malloc(sizeof(KEY_LIST) + (count - 1) * sizeof(REG_KEY *));
1543 tmp->key_count = count;
1545 for (i=0; i<count; i++) {
1548 nk_off = IVAL(&lf_hdr->hr[i].nk_off);
1549 nk_hdr = (NK_HDR *)LOCN(regf->base, nk_off);
1550 tmp->keys[i] = nt_get_key_tree(regf, nk_hdr, BLK_SIZE(nk_hdr));
1551 if (!tmp->keys[i]) {
1559 /* XXX: FIXME, free the partially allocated structure */
1564 * This routine is passed a NK_HDR pointer and retrieves the entire tree
1565 * from there down. It return a REG_KEY *.
1567 REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size)
1569 REG_KEY *tmp = NULL;
1570 int name_len, clsname_len, lf_off, val_off, val_count, sk_off;
1575 char key_name[1024], cls_name[1024];
1577 if (!nk_hdr) return NULL;
1579 if ((nk_id = SVAL(&nk_hdr->NK_ID)) != REG_NK_ID) {
1580 fprintf(stderr, "Unrecognized NK Header format: %08X, Block: %0X. %s\n",
1581 nk_id, (int)nk_hdr, regf->regfile_name);
1587 name_len = SVAL(&nk_hdr->nam_len);
1588 clsname_len = SVAL(&nk_hdr->clsnam_len);
1591 * The value of -size should be ge
1592 * (sizeof(NK_HDR) - 1 + name_len)
1593 * The -1 accounts for the fact that we included the first byte of
1594 * the name in the structure. clsname_len is the length of the thing
1595 * pointed to by clsnam_off
1598 if (-size < (sizeof(NK_HDR) - 1 + name_len)) {
1599 fprintf(stderr, "Incorrect NK_HDR size: %d, %0X\n", -size, (int)nk_hdr);
1600 fprintf(stderr, "Sizeof NK_HDR: %d, name_len %d, clsname_len %d\n",
1601 sizeof(NK_HDR), name_len, clsname_len);
1605 if (verbose) fprintf(stdout, "NK HDR: Name len: %d, class name len: %d\n",
1606 name_len, clsname_len);
1608 /* Fish out the key name and process the LF list */
1610 assert(name_len < sizeof(key_name));
1612 /* Allocate the key struct now */
1613 tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
1614 if (!tmp) return tmp;
1615 bzero(tmp, sizeof(REG_KEY));
1617 tmp->type = (SVAL(&nk_hdr->type)==0x2C?REG_ROOT_KEY:REG_SUB_KEY);
1619 strncpy(key_name, nk_hdr->key_nam, name_len);
1620 key_name[name_len] = '\0';
1622 if (verbose) fprintf(stdout, "Key name: %s\n", key_name);
1624 tmp->name = strdup(key_name);
1630 * Fish out the class name, it is in UNICODE, while the key name is
1634 if (clsname_len) { /* Just print in Ascii for now */
1638 clsnam_off = IVAL(&nk_hdr->clsnam_off);
1639 clsnamep = LOCN(regf->base, clsnam_off);
1641 bzero(cls_name, clsname_len);
1642 uni_to_ascii(clsnamep, cls_name, sizeof(cls_name), clsname_len);
1645 * I am keeping class name as an ascii string for the moment.
1646 * That means it needs to be converted on output.
1650 tmp->class_name = strdup(cls_name);
1651 if (!tmp->class_name) {
1655 if (verbose) fprintf(stdout, " Class Name: %s\n", cls_name);
1660 * If there are any values, process them here
1663 val_count = IVAL(&nk_hdr->val_cnt);
1667 val_off = IVAL(&nk_hdr->val_off);
1668 vl = (VL_TYPE *)LOCN(regf->base, val_off);
1670 tmp->values = process_vl(regf, *vl, val_count, BLK_SIZE(vl));
1678 * Also handle the SK header ...
1681 sk_off = IVAL(&nk_hdr->sk_off);
1682 sk_hdr = (SK_HDR *)LOCN(regf->base, sk_off);
1686 tmp->security = process_sk(regf, sk_hdr, sk_off, BLK_SIZE(sk_hdr));
1690 lf_off = IVAL(&nk_hdr->lf_off);
1693 * No more subkeys if lf_off == -1
1698 lf_hdr = (LF_HDR *)LOCN(regf->base, lf_off);
1700 tmp->sub_keys = process_lf(regf, lf_hdr, BLK_SIZE(lf_hdr));
1701 if (!tmp->sub_keys){
1710 if (tmp) nt_delete_reg_key(tmp);
1714 int nt_load_registry(REGF *regf)
1717 unsigned int regf_id, hbin_id;
1721 /* Get the header */
1723 if ((regf_hdr = nt_get_regf_hdr(regf)) == NULL) {
1727 /* Now process that header and start to read the rest in */
1729 if ((regf_id = IVAL(®f_hdr->REGF_ID)) != REG_REGF_ID) {
1730 fprintf(stderr, "Unrecognized NT registry header id: %0X, %s\n",
1731 regf_id, regf->regfile_name);
1736 * Validate the header ...
1738 if (!valid_regf_hdr(regf_hdr)) {
1739 fprintf(stderr, "Registry file header does not validate: %s\n",
1740 regf->regfile_name);
1744 /* Update the last mod date, and then go get the first NK record and on */
1746 TTTONTTIME(regf, IVAL(®f_hdr->tim1), IVAL(®f_hdr->tim2));
1749 * The hbin hdr seems to be just uninteresting garbage. Check that
1750 * it is there, but that is all.
1753 hbin_hdr = (HBIN_HDR *)(regf->base + REGF_HDR_BLKSIZ);
1755 if ((hbin_id = IVAL(&hbin_hdr->HBIN_ID)) != REG_HBIN_ID) {
1756 fprintf(stderr, "Unrecognized registry hbin hdr ID: %0X, %s\n",
1757 hbin_id, regf->regfile_name);
1762 * Get a pointer to the first key from the hreg_hdr
1765 first_key = (NK_HDR *)LOCN(regf->base, IVAL(®f_hdr->first_key));
1768 * Now, get the registry tree by processing that NK recursively
1771 regf->root = nt_get_key_tree(regf, first_key, BLK_SIZE(first_key));
1773 assert(regf->root != NULL);
1779 * Routines to parse a REGEDIT4 file
1781 * The file consists of:
1787 * There can be more than one key-path and value-spec.
1789 * Since we want to support more than one type of file format, we
1790 * construct a command-file structure that keeps info about the command file
1793 #define FMT_UNREC -1
1794 #define FMT_REGEDIT4 0
1795 #define FMT_EDITREG1_1 1
1797 typedef struct command_s {
1800 void *val_spec_list;
1804 * We seek to offset 0, read in the required number of bytes,
1805 * and compare to the correct value.
1806 * We then seek back to the original location
1808 int regedit4_file_type(int fd)
1812 cur_ofs = lseek(fd, 0, SEEK_CUR); /* Get current offset */
1814 fprintf(stderr, "Unable to get current offset: %s\n", strerror(errno));
1819 lseek(fd, 0, SEEK_SET);
1825 CMD *regedit4_get_cmd(int fd)
1830 int regedit4_exec_cmd(CMD *cmd)
1836 int editreg_1_1_file_type(int fd)
1842 CMD *editreg_1_1_get_cmd(int fd)
1847 int editreg_1_1_exec_cmd(CMD *cmd)
1853 typedef struct command_ops_s {
1855 int (*file_type)(int fd);
1856 CMD *(*get_cmd)(int fd);
1857 int (*exec_cmd)(CMD *cmd);
1860 CMD_OPS default_cmd_ops[] = {
1861 {0, regedit4_file_type, regedit4_get_cmd, regedit4_exec_cmd},
1862 {1, editreg_1_1_file_type, editreg_1_1_get_cmd, editreg_1_1_exec_cmd},
1863 {-1, NULL, NULL, NULL}
1866 typedef struct command_file_s {
1873 * Create a new command file structure
1876 CMD_FILE *cmd_file_create(char *file)
1883 * Let's check if the file exists ...
1884 * No use creating the cmd_file structure if the file does not exist
1887 if (stat(file, &sbuf) < 0) { /* Not able to access file */
1892 tmp = (CMD_FILE *)malloc(sizeof(CMD_FILE));
1898 * Let's fill in some of the fields;
1901 tmp->name = strdup(file);
1903 if ((tmp->fd = open(file, O_RDONLY, 666)) < 0) {
1909 * Now, try to find the format by indexing through the table
1911 while (default_cmd_ops[i].type != -1) {
1912 if ((tmp->type = default_cmd_ops[i].file_type(tmp->fd)) >= 0) {
1913 tmp->cmd_ops = default_cmd_ops[i];
1920 * If we got here, return NULL, as we could not figure out the type
1923 * What about errors?
1931 * Extract commands from the command file, and execute them.
1932 * We pass a table of command callbacks for that
1936 * Main code from here on ...
1940 * key print function here ...
1943 int print_key(const char *path, char *name, char *class_name, int root,
1944 int terminal, int vals)
1947 if (terminal) fprintf(stdout, "%s\\%s\n", path, name);
1953 * Sec Desc print functions
1956 void print_sid(DOM_SID *sid)
1958 int i, comps = sid->auths;
1959 fprintf(stdout, "S-%u-%u", sid->ver, sid->auth[5]);
1961 for (i = 0; i < comps; i++) {
1963 fprintf(stdout, "-%u", sid->sub_auths[i]);
1966 fprintf(stdout, "\n");
1969 int print_sec(SEC_DESC *sec_desc)
1972 fprintf(stdout, " SECURITY\n");
1973 fprintf(stdout, " Owner: ");
1974 print_sid(sec_desc->owner);
1975 fprintf(stdout, " Group: ");
1976 print_sid(sec_desc->group);
1981 * Value print function here ...
1983 int print_val(const char *path, char *val_name, int val_type, int data_len,
1984 void *data_blk, int terminal, int first, int last)
1986 char data_asc[1024];
1988 bzero(data_asc, sizeof(data_asc));
1989 if (!terminal && first)
1990 fprintf(stdout, "%s\n", path);
1991 data_to_ascii((unsigned char *)data_blk, data_len, val_type, data_asc,
1992 sizeof(data_asc) - 1);
1993 fprintf(stdout, " %s : %s : %s\n", (val_name?val_name:"<No Name>"),
1994 val_to_str(val_type, reg_type_names), data_asc);
1998 int main(int argc, char *argv[])
2002 static char *cmd_file = NULL;
2004 struct poptOption long_options[] = {
2006 { "verbose", 'v', POPT_ARG_NONE, NULL, 'v', "Sets verbose mode" },
2007 { "command-file", 'c', POPT_ARG_STRING, &cmd_file, 'c', "Specifies a command file" },
2011 pc = poptGetContext("editreg", argc, (const char **)argv, long_options,
2012 POPT_CONTEXT_KEEP_FIRST);
2014 poptSetOtherOptionHelp(pc, "<registry-file>");
2016 while((opt = poptGetNextOpt(pc)) != -1)
2023 poptGetArg(pc); /* For argv[0] */
2025 if (!poptPeekArg(pc)) {
2026 poptPrintUsage(pc, stderr, 0);
2030 if ((regf = nt_create_regf()) == NULL) {
2031 fprintf(stderr, "Could not create registry object: %s\n", strerror(errno));
2035 if (!nt_set_regf_input_file(regf, poptPeekArg(pc))) {
2036 fprintf(stderr, "Could not set name of registry file: %s, %s\n",
2037 poptPeekArg(pc), strerror(errno));
2041 /* Now, open it, and bring it into memory :-) */
2043 if (nt_load_registry(regf) < 0) {
2044 fprintf(stderr, "Could not load registry: %s\n", poptPeekArg(pc));
2049 * At this point, we should have a registry in memory and should be able
2050 * to iterate over it.
2053 nt_key_iterator(regf, regf->root, 0, "", print_key, print_sec, print_val);
2054 poptFreeContext(pc);