char *getValue(const REGF_VK_REC* vk, char* prefix) { char* quoted_value = NULL; char* quoted_name = NULL; char* conv_error = NULL; const char* str_type = NULL; uint32 size; uint8 tmp_buf[4]; char *value = NULL; /* Thanks Microsoft for making this process so straight-forward!!! */ /* XXX: this logic should be abstracted and pushed into the regfi * interface. This includes the size limits. */ size = (vk->data_size & ~VK_DATA_IN_OFFSET); if(vk->data_size & VK_DATA_IN_OFFSET) { tmp_buf[0] = (uint8)((vk->data_off >> 3) & 0xFF); tmp_buf[1] = (uint8)((vk->data_off >> 2) & 0xFF); tmp_buf[2] = (uint8)((vk->data_off >> 1) & 0xFF); tmp_buf[3] = (uint8)(vk->data_off & 0xFF); if(size > 4) { fprintf(stderr, "WARNING: value stored in offset larger than 4. " "Truncating...\n"); size = 4; } quoted_value = data_to_ascii(tmp_buf, 4, vk->type, &conv_error); }
void printValue(const REGF_VK_REC* vk, char* prefix) { char* quoted_value = NULL; char* quoted_name = NULL; char* conv_error = NULL; const char* str_type = NULL; uint32 size = vk->data_size; /* Microsoft's documentation indicates that "available memory" is * the limit on value sizes. Annoying. We limit it to 1M which * should rarely be exceeded, unless the file is corrupt or * malicious. For more info, see: * http://msdn2.microsoft.com/en-us/library/ms724872.aspx */ if(size > VK_MAX_DATA_LENGTH) { fprintf(stderr, "WARNING: value data size %d larger than " "%d, truncating...\n", size, VK_MAX_DATA_LENGTH); size = VK_MAX_DATA_LENGTH; } quoted_name = quote_string(vk->valuename, key_special_chars); if (quoted_name == NULL) { /* Value names are NULL when we're looking at the "(default)" value. * Currently we just return a 0-length string to try an eliminate * ambiguity with a literal "(default)" value. The data type of a line * in the output allows one to differentiate between the parent key and * this value. */ quoted_name = talloc_size(vk, 1); if(quoted_name == NULL) bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n"); quoted_name[0] = '\0'; } quoted_value = data_to_ascii(vk, vk->data, size, vk->type, &conv_error); if(quoted_value == NULL) { if(conv_error == NULL) fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. " "Memory allocation failure likely.\n", prefix, quoted_name); else if(print_verbose) fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. " "Returned error: %s\n", prefix, quoted_name, conv_error); } /* XXX: should these always be printed? */ else if(conv_error != NULL && print_verbose) fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', " "warning returned: %s\n", prefix, quoted_name, conv_error); str_type = regfi_type_val2str(vk->type); if(print_security) { if(str_type == NULL) printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name, vk->type, quoted_value); else printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name, str_type, quoted_value); } else { if(str_type == NULL) printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name, vk->type, quoted_value); else printf("%s/%s,%s,%s,\n", prefix, quoted_name, str_type, quoted_value); } }