/* Opens the registry file * Returns 1 if successful or -1 on error */ int registry_file_open( registry_file_t *registry_file, const libcstring_system_character_t *filename, libcerror_error_t **error ) { libcstring_system_character_t *name = NULL; libregf_key_t *sub_key = NULL; libregf_value_t *value = NULL; static char *function = "registry_file_open"; const char *sub_key_path = NULL; const char *value_name = NULL; size_t name_size = 0; size_t sub_key_path_length = 0; size_t value_name_length = 0; int number_of_sub_keys = 0; int result = 0; if( registry_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid registry file.", function ); return( -1 ); } if( registry_file->is_open != 0 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, "%s: invalid registry file already open.", function ); return( -1 ); } #if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER ) if( libregf_file_open_wide( registry_file->regf_file, filename, LIBREGF_OPEN_READ, error ) != 1 ) #else if( libregf_file_open( registry_file->regf_file, filename, LIBREGF_OPEN_READ, error ) != 1 ) #endif { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_OPEN_FAILED, "%s: unable to open REGF file.", function ); goto on_error; } if( libregf_file_get_root_key( registry_file->regf_file, &( registry_file->root_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key.", function ); goto on_error; } if( libregf_key_get_number_of_sub_keys( registry_file->root_key, &number_of_sub_keys, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of sub keys of root key.", function ); goto on_error; } result = 0; if( number_of_sub_keys == 1 ) { #if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name_size( registry_file->root_key, &name_size, error ); #else result = libregf_key_get_utf8_name_size( registry_file->root_key, &name_size, error ); #endif if( ( result != 1 ) || ( name_size == 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key name size.", function ); goto on_error; } if( ( name_size > (size_t) SSIZE_MAX ) || ( ( sizeof( libcstring_system_character_t ) * name_size ) > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid name size value exceeds maximum.", function ); goto on_error; } name = libcstring_system_string_allocate( name_size ); if( name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create name string.", function ); goto on_error; } #if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name( registry_file->root_key, (uint16_t *) name, name_size, error ); #else result = libregf_key_get_utf8_name( registry_file->root_key, (uint8_t *) name, name_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key name.", function ); goto on_error; } result = 0; /* TODO what about Windows NT4 */ if( name_size == 13 ) { /* Root key used by Windows 2000, XP, 2003 */ if( libcstring_system_string_compare_no_case( name, _LIBCSTRING_SYSTEM_STRING( "$$$PROTO.HIV" ), 12 ) == 0 ) { result = 1; } } else if( name_size == 53 ) { /* Root key used by Windows Vista, 2008, 7 */ if( libcstring_system_string_compare_no_case( name, _LIBCSTRING_SYSTEM_STRING( "CMI-CreateHive{" ), 15 ) == 0 ) { if( name[ 51 ] == (libcstring_system_character_t) '}' ) { result = 1; } } } else if( name_size == 58 ) { /* Root key used by Windows 8 */ if( libcstring_system_string_compare_no_case( name, _LIBCSTRING_SYSTEM_STRING( "CsiTool-CreateHive-{" ), 20 ) == 0 ) { if( name[ 56 ] == (libcstring_system_character_t) '}' ) { result = 1; } } } memory_free( name ); name = NULL; } if( result != 0 ) { if( libregf_key_get_sub_key( registry_file->root_key, 0, &( registry_file->base_key ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve base key.", function ); goto on_error; } } else { /* E.g. for the SAM registry file the root key is the base */ registry_file->base_key = registry_file->root_key; } /* Determine the registry file type based on the name of the base key */ /* TODO refactor to separate function */ #if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name_size( registry_file->base_key, &name_size, error ); #else result = libregf_key_get_utf8_name_size( registry_file->base_key, &name_size, error ); #endif if( ( result != 1 ) || ( name_size == 0 ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve base key name size.", function ); goto on_error; } if( ( name_size > (size_t) SSIZE_MAX ) || ( ( sizeof( libcstring_system_character_t ) * name_size ) > (size_t) SSIZE_MAX ) ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_EXCEEDS_MAXIMUM, "%s: invalid name size value exceeds maximum.", function ); goto on_error; } name = libcstring_system_string_allocate( name_size ); if( name == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_MEMORY, LIBCERROR_MEMORY_ERROR_INSUFFICIENT, "%s: unable to create name string.", function ); goto on_error; } #if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER ) result = libregf_key_get_utf16_name( registry_file->base_key, (uint16_t *) name, name_size, error ); #else result = libregf_key_get_utf8_name( registry_file->base_key, (uint8_t *) name, name_size, error ); #endif if( result != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve base key name.", function ); goto on_error; } /* TODO add more types */ if( name_size == 4 ) { if( libcstring_system_string_compare_no_case( name, _LIBCSTRING_SYSTEM_STRING( "SAM" ), 3 ) == 0 ) { registry_file->type = REGISTRY_FILE_TYPE_SAM; } } memory_free( name ); name = NULL; /* TODO still needed ? */ if( libregf_key_get_number_of_sub_keys( registry_file->base_key, &number_of_sub_keys, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve number of sub keys of base key.", function ); goto on_error; } /* TODO refactor to separate function */ /* Get the current control set from: * SYSTEM\Select\Current */ sub_key_path = "Select"; sub_key_path_length = libcstring_narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &sub_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } else if( result != 0 ) { value_name = "Current"; value_name_length = libcstring_narrow_string_length( value_name ); result = libregf_key_get_value_by_utf8_name( sub_key, (uint8_t *) value_name, value_name_length, &value, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve value: %s.", function, value_name ); goto on_error; } else if( result != 0 ) { if( libregf_value_get_value_32bit( value, &( registry_file->current_control_set ), error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve 32-bit value: %s.", function, value_name ); goto on_error; } if( libregf_value_free( &value, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free value.", function ); goto on_error; } } } if( libregf_key_free( &sub_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free sub key.", function ); goto on_error; } /* Retrieve the control set 1 key: SYSTEM\ControlSet001 */ sub_key_path = "ControlSet001"; sub_key_path_length = libcstring_narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &( registry_file->control_set1_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } /* Retrieve the control set 2 key: SYSTEM\ControlSet002 */ sub_key_path = "ControlSet002"; sub_key_path_length = libcstring_narrow_string_length( sub_key_path ); result = libregf_key_get_sub_key_by_utf8_path( registry_file->base_key, (uint8_t *) sub_key_path, sub_key_path_length, &( registry_file->control_set2_key ), error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve sub key: %s.", function, sub_key_path ); goto on_error; } if( ( registry_file->current_control_set != 0 ) || ( registry_file->control_set1_key != NULL ) || ( registry_file->control_set2_key != NULL ) ) { if( ( registry_file->current_control_set != 1 ) && ( registry_file->current_control_set != 2 ) ) { /* TODO print debug notification */ registry_file->current_control_set = 1; } if( ( registry_file->current_control_set == 1 ) && ( registry_file->control_set1_key != NULL ) ) { registry_file->current_control_set_key = registry_file->control_set1_key; } else if( ( registry_file->current_control_set == 2 ) && ( registry_file->control_set2_key != NULL ) ) { registry_file->current_control_set_key = registry_file->control_set2_key; } } registry_file->is_open = 1; return( 1 ); on_error: if( value != NULL ) { libregf_value_free( &value, NULL ); } if( sub_key != NULL ) { libregf_key_free( &sub_key, NULL ); } if( registry_file->control_set2_key != NULL ) { libregf_key_free( &( registry_file->control_set2_key ), NULL ); } if( registry_file->control_set1_key != NULL ) { libregf_key_free( &( registry_file->control_set1_key ), NULL ); } if( ( registry_file->base_key != NULL ) && ( registry_file->base_key != registry_file->root_key ) ) { libregf_key_free( &( registry_file->base_key ), NULL ); } if( name != NULL ) { memory_free( name ); } if( registry_file->root_key != NULL ) { libregf_key_free( &( registry_file->root_key ), NULL ); } libregf_file_close( registry_file->regf_file, NULL ); return( -1 ); }
/* Exports the keys and values from the file * Returns the 1 if succesful or -1 on error */ int export_handle_export_file( export_handle_t *export_handle, log_handle_t *log_handle, libcerror_error_t **error ) { libregf_key_t *root_key = NULL; static char *function = "export_handle_export_file"; int result = 0; if( export_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid export handle.", function ); return( -1 ); } result = libregf_file_get_root_key( export_handle->input_file, &root_key, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GET_FAILED, "%s: unable to retrieve root key.", function ); goto on_error; } else if( result != 0 ) { if( export_handle_export_key( export_handle, root_key, log_handle, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_GENERIC, "%s: unable to export root key.", function ); goto on_error; } if( libregf_key_free( &root_key, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED, "%s: unable to free root key.", function ); goto on_error; } fprintf( export_handle->notify_stream, "\n" ); } return( 1 ); on_error: if( root_key != NULL ) { libregf_key_free( &root_key, NULL ); } return( -1 ); }