char *getValue(const REGF_VK_REC* vk, char* prefix)
{
char* quoted_value = NULL;
char* quoted_name = NULL;
char* conv_error = NULL;
const char* str_type = NULL;
uint32 size;
uint8 tmp_buf[4];
char *value = NULL;
/* Thanks Microsoft for making this process so straight-forward!!! */
/* XXX: this logic should be abstracted and pushed into the regfi
* interface. This includes the size limits.
*/
size = (vk->data_size & ~VK_DATA_IN_OFFSET);
if(vk->data_size & VK_DATA_IN_OFFSET)
{
tmp_buf[0] = (uint8)((vk->data_off >> 3) & 0xFF);
tmp_buf[1] = (uint8)((vk->data_off >> 2) & 0xFF);
tmp_buf[2] = (uint8)((vk->data_off >> 1) & 0xFF);
tmp_buf[3] = (uint8)(vk->data_off & 0xFF);
if(size > 4)
{
fprintf(stderr, "WARNING: value stored in offset larger than 4. "
"Truncating...\n");
size = 4;
}
quoted_value = data_to_ascii(tmp_buf, 4, vk->type, &conv_error);
}
void printValue(const REGF_VK_REC* vk, char* prefix)
{
char* quoted_value = NULL;
char* quoted_name = NULL;
char* conv_error = NULL;
const char* str_type = NULL;
uint32 size = vk->data_size;
/* Microsoft's documentation indicates that "available memory" is
* the limit on value sizes. Annoying. We limit it to 1M which
* should rarely be exceeded, unless the file is corrupt or
* malicious. For more info, see:
* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
*/
if(size > VK_MAX_DATA_LENGTH)
{
fprintf(stderr, "WARNING: value data size %d larger than "
"%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
size = VK_MAX_DATA_LENGTH;
}
quoted_name = quote_string(vk->valuename, key_special_chars);
if (quoted_name == NULL)
{ /* Value names are NULL when we're looking at the "(default)" value.
* Currently we just return a 0-length string to try an eliminate
* ambiguity with a literal "(default)" value. The data type of a line
* in the output allows one to differentiate between the parent key and
* this value.
*/
quoted_name = talloc_size(vk, 1);
if(quoted_name == NULL)
bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
quoted_name[0] = '\0';
}
quoted_value = data_to_ascii(vk, vk->data, size, vk->type, &conv_error);
if(quoted_value == NULL)
{
if(conv_error == NULL)
fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
"Memory allocation failure likely.\n", prefix, quoted_name);
else if(print_verbose)
fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
"Returned error: %s\n", prefix, quoted_name, conv_error);
}
/* XXX: should these always be printed? */
else if(conv_error != NULL && print_verbose)
fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', "
"warning returned: %s\n", prefix, quoted_name, conv_error);
str_type = regfi_type_val2str(vk->type);
if(print_security)
{
if(str_type == NULL)
printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
vk->type, quoted_value);
else
printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
str_type, quoted_value);
}
else
{
if(str_type == NULL)
printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
vk->type, quoted_value);
else
printf("%s/%s,%s,%s,\n", prefix, quoted_name,
str_type, quoted_value);
}
}
