static bool hbin_prs_vk_rec( const char *desc, REGF_HBIN *hbin, int depth, REGF_VK_REC *vk, REGF_FILE *file ) { uint32 offset; uint16 name_length; prs_struct *ps = &hbin->ps; uint32 data_size, start_off, end_off; depth++; /* backup and get the data_size */ if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) ) return false; start_off = hbin->ps.data_offset; if ( !prs_uint32( "rec_size", &hbin->ps, depth, &vk->rec_size )) return false; if ( !prs_uint8s("header", ps, depth, vk->header, sizeof( vk->header )) ) return false; if ( !hbin->ps.io ) name_length = strlen(vk->valuename); if ( !prs_uint16( "name_length", ps, depth, &name_length )) return false; if ( !prs_uint32( "data_size", ps, depth, &vk->data_size )) return false; if ( !prs_uint32( "data_off", ps, depth, &vk->data_off )) return false; if ( !prs_uint32( "type", ps, depth, &vk->type)) return false; if ( !prs_uint16( "flag", ps, depth, &vk->flag)) return false; offset = ps->data_offset; offset += 2; /* skip 2 bytes */ prs_set_offset( ps, offset ); /* get the name */ if ( vk->flag&VK_FLAG_NAME_PRESENT ) { if ( hbin->ps.io ) { if ( !(vk->valuename = (char*)zcalloc(sizeof(char), name_length+1 ))) return false; } if ( !prs_uint8s("name", ps, depth, (uint8*)vk->valuename, name_length) ) return false; } end_off = hbin->ps.data_offset; /* get the data if necessary */ if ( vk->data_size != 0 ) { /* the data is stored in the offset if the size <= 4 */ if ( !(vk->data_size & VK_DATA_IN_OFFSET) ) { REGF_HBIN *hblock = hbin; uint32 data_rec_size; if ( hbin->ps.io ) { if ( !(vk->data = (uint8*)zcalloc(sizeof(uint8), vk->data_size) ) ) return false; } /* this data can be in another hbin */ if ( !hbin_contains_offset( hbin, vk->data_off ) ) { if ( !(hblock = lookup_hbin_block( file, vk->data_off )) ) return false; } if (!(prs_set_offset(&hblock->ps, (vk->data_off + HBIN_HDR_SIZE - hblock->first_hbin_off) - sizeof(uint32)))) { return false; } if ( !hblock->ps.io ) { data_rec_size = ( (vk->data_size+sizeof(uint32)) & 0xfffffff8 ) + 8; data_rec_size = ( data_rec_size - 1 ) ^ 0xFFFFFFFF; } if ( !prs_uint32( "data_rec_size", &hblock->ps, depth, &data_rec_size )) return false; if(!prs_uint8s("data", &hblock->ps, depth, vk->data, vk->data_size)) return false; if ( !hblock->ps.io ) hblock->dirty = true; } else { if(!(vk->data = zcalloc(sizeof(uint8), 4))) return false; SIVAL( vk->data, 0, vk->data_off ); } } /* data_size must be divisible by 8 and large enough to hold the original record */ data_size = ((start_off - end_off ) & 0xfffffff8 ); /* XXX: should probably print a warning here */ /*if ( data_size != vk->rec_size ) DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->rec_size));*/ if ( !hbin->ps.io ) hbin->dirty = true; return true; }
static bool prs_nk_rec( const char *desc, prs_struct *ps, int depth, REGF_NK_REC *nk ) { uint16 class_length, name_length; uint32 start; uint32 data_size, start_off, end_off; uint32 unknown_off = REGF_OFFSET_NONE; nk->hbin_off = ps->data_offset; start = nk->hbin_off; depth++; /* back up and get the data_size */ if ( !prs_set_offset( ps, ps->data_offset-sizeof(uint32)) ) return false; start_off = ps->data_offset; if ( !prs_uint32( "rec_size", ps, depth, &nk->rec_size )) return false; if (!prs_uint8s("header", ps, depth, nk->header, sizeof(nk->header))) return false; if ( !prs_uint16( "key_type", ps, depth, &nk->key_type )) return false; if ( !smb_io_time( "mtime", &nk->mtime, ps, depth )) return false; if ( !prs_set_offset( ps, start+0x0010 ) ) return false; if ( !prs_uint32( "parent_off", ps, depth, &nk->parent_off )) return false; if ( !prs_uint32( "num_subkeys", ps, depth, &nk->num_subkeys )) return false; if ( !prs_set_offset( ps, start+0x001c ) ) return false; if ( !prs_uint32( "subkeys_off", ps, depth, &nk->subkeys_off )) return false; if ( !prs_uint32( "unknown_off", ps, depth, &unknown_off) ) return false; if ( !prs_set_offset( ps, start+0x0024 ) ) return false; if ( !prs_uint32( "num_values", ps, depth, &nk->num_values )) return false; if ( !prs_uint32( "values_off", ps, depth, &nk->values_off )) return false; if ( !prs_uint32( "sk_off", ps, depth, &nk->sk_off )) return false; if ( !prs_uint32( "classname_off", ps, depth, &nk->classname_off )) return false; if (!prs_uint32("max_bytes_subkeyname", ps, depth, &nk->max_bytes_subkeyname)) return false; if ( !prs_uint32( "max_bytes_subkeyclassname", ps, depth, &nk->max_bytes_subkeyclassname)) { return false; } if ( !prs_uint32( "max_bytes_valuename", ps, depth, &nk->max_bytes_valuename)) return false; if ( !prs_uint32( "max_bytes_value", ps, depth, &nk->max_bytes_value)) return false; if ( !prs_uint32( "unknown index", ps, depth, &nk->unk_index)) return false; name_length = nk->keyname ? strlen(nk->keyname) : 0 ; class_length = nk->classname ? strlen(nk->classname) : 0 ; if ( !prs_uint16( "name_length", ps, depth, &name_length )) return false; if ( !prs_uint16( "class_length", ps, depth, &class_length )) return false; if ( class_length ) { /* XXX: why isn't this parsed? */ ;; } if ( name_length ) { if(ps->io && !(nk->keyname = (char*)zcalloc(sizeof(char), name_length+1))) return false; if(!prs_uint8s("name", ps, depth, (uint8*)nk->keyname, name_length)) return false; if(ps->io) nk->keyname[name_length] = '\0'; } end_off = ps->data_offset; /* data_size must be divisible by 8 and large enough to hold the original record */ data_size = ((start_off - end_off) & 0xfffffff8 ); /*if ( data_size > nk->rec_size ) DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, nk->rec_size));*/ if ( !ps->io ) nk->hbin->dirty = true; return true; }
static REGF_HBIN* read_hbin_block( REGF_FILE *file, off_t offset ) { REGF_HBIN *hbin; uint32 record_size, curr_off, block_size, header=0; if ( !(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))) ) return NULL; hbin->file_off = offset; hbin->free_off = -1; if ( read_block( file, &hbin->ps, offset, 0 ) == -1 ) return NULL; if ( !prs_hbin_block( "hbin", &hbin->ps, 0, hbin ) ) return NULL; /* this should be the same thing as hbin->block_size but just in case */ block_size = hbin->ps.buffer_size; /* Find the available free space offset. Always at the end, so walk the record list and stop when you get to the end. The end is defined by a record header of 0xffffffff. The previous 4 bytes contains the amount of free space remaining in the hbin block. */ /* remember that the record_size is in the 4 bytes preceeding the record itself */ if ( !prs_set_offset( &hbin->ps, file->data_offset+HBIN_HDR_SIZE-sizeof(uint32) ) ) return false; record_size = 0; curr_off = hbin->ps.data_offset; while ( header != 0xffffffff ) { /* not done yet so reset the current offset to the next record_size field */ curr_off = curr_off+record_size; /* for some reason the record_size of the last record in an hbin block can extend past the end of the block even though the record fits within the remaining space....aaarrrgggghhhhhh */ if ( curr_off >= block_size ) { record_size = -1; curr_off = -1; break; } if ( !prs_set_offset( &hbin->ps, curr_off) ) return false; if ( !prs_uint32( "rec_size", &hbin->ps, 0, &record_size ) ) return false; if ( !prs_uint32( "header", &hbin->ps, 0, &header ) ) return false; assert( record_size != 0 ); if ( record_size & 0x80000000 ) { /* absolute_value(record_size) */ record_size = (record_size ^ 0xffffffff) + 1; } } /* save the free space offset */ if ( header == 0xffffffff ) { /* account for the fact that the curr_off is 4 bytes behind the actual record header */ hbin->free_off = curr_off + sizeof(uint32); hbin->free_size = record_size; } /*DEBUG(10,("read_hbin_block: free space offset == 0x%x\n", hbin->free_off));*/ if ( !prs_set_offset( &hbin->ps, file->data_offset+HBIN_HDR_SIZE ) ) return false; return hbin; }
/******************************************************************* read a VK record which is contained in the HBIN block stored in the prs_struct *ps. *******************************************************************/ static bool hbin_prs_vk_records(const char *desc, REGF_HBIN *hbin, int depth, REGF_NK_REC *nk, REGF_FILE *file) { int i; uint32 record_size; depth++; /* check if we have anything to do first */ if(nk->num_values == 0) return true; if(hbin->ps.io) { if (!(nk->values = (REGF_VK_REC*)zcalloc(sizeof(REGF_VK_REC), nk->num_values ))) return false; } /* convert the offset to something relative to this HBIN block */ if (!prs_set_offset(&hbin->ps, nk->values_off + HBIN_HDR_SIZE - hbin->first_hbin_off - sizeof(uint32))) { return false; } if ( !hbin->ps.io ) { record_size = ( ( nk->num_values * sizeof(uint32) ) & 0xfffffff8 ) + 8; record_size = (record_size - 1) ^ 0xFFFFFFFF; } if ( !prs_uint32( "record_size", &hbin->ps, depth, &record_size ) ) return false; for ( i=0; i<nk->num_values; i++ ) { if ( !prs_uint32( "vk_off", &hbin->ps, depth, &nk->values[i].rec_off ) ) return false; } for ( i=0; i<nk->num_values; i++ ) { REGF_HBIN *sub_hbin = hbin; uint32 new_offset; if ( !hbin_contains_offset( hbin, nk->values[i].rec_off ) ) { sub_hbin = lookup_hbin_block( file, nk->values[i].rec_off ); if ( !sub_hbin ) { /*DEBUG(0,("hbin_prs_vk_records: Failed to find HBIN block containing offset [0x%x]\n", nk->values[i].hbin_off));*/ return false; } } new_offset = nk->values[i].rec_off + HBIN_HDR_SIZE - sub_hbin->first_hbin_off; if (!prs_set_offset(&sub_hbin->ps, new_offset)) return false; if (!hbin_prs_vk_rec("vk_rec", sub_hbin, depth, &nk->values[i], file)) return false; } if ( !hbin->ps.io ) hbin->dirty = true; return true; }
/******************************************************************* Stream a uint64_struct ********************************************************************/ BOOL prs_uint64(const char *name, prs_struct *ps, int depth, UINT64_S *data64) { return prs_uint32(name, ps, depth+1, &data64->low) && prs_uint32(name, ps, depth+1, &data64->high); }
static BOOL net_io_user_info3(char *desc, NET_USER_INFO_3 *usr, prs_struct *ps, int depth) { int i; if (usr == NULL) return False; prs_debug(ps, depth, desc, "lsa_io_lsa_user_info"); depth++; if(!prs_align(ps)) return False; if(!prs_uint32("ptr_user_info ", ps, depth, &usr->ptr_user_info)) return False; if (usr->ptr_user_info == 0) return True; if(!smb_io_time("time", &usr->logon_time, ps, depth)) /* logon time */ return False; if(!smb_io_time("time", &usr->logoff_time, ps, depth)) /* logoff time */ return False; if(!smb_io_time("time", &usr->kickoff_time, ps, depth)) /* kickoff time */ return False; if(!smb_io_time("time", &usr->pass_last_set_time, ps, depth)) /* password last set time */ return False; if(!smb_io_time("time", &usr->pass_can_change_time , ps, depth)) /* password can change time */ return False; if(!smb_io_time("time", &usr->pass_must_change_time, ps, depth)) /* password must change time */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_user_name, ps, depth)) /* username unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_full_name, ps, depth)) /* user's full name unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_logon_script, ps, depth)) /* logon script unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_profile_path, ps, depth)) /* profile path unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_home_dir, ps, depth)) /* home directory unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_dir_drive, ps, depth)) /* home directory drive unicode string header */ return False; if(!prs_uint16("logon_count ", ps, depth, &usr->logon_count)) /* logon count */ return False; if(!prs_uint16("bad_pw_count ", ps, depth, &usr->bad_pw_count)) /* bad password count */ return False; if(!prs_uint32("user_id ", ps, depth, &usr->user_id)) /* User ID */ return False; if(!prs_uint32("group_id ", ps, depth, &usr->group_id)) /* Group ID */ return False; if(!prs_uint32("num_groups ", ps, depth, &usr->num_groups)) /* num groups */ return False; if(!prs_uint32("buffer_groups ", ps, depth, &usr->buffer_groups)) /* undocumented buffer pointer to groups. */ return False; if(!prs_uint32("user_flgs ", ps, depth, &usr->user_flgs)) /* user flags */ return False; if(!prs_uint8s(False, "user_sess_key", ps, depth, usr->user_sess_key, 16)) /* unused user session key */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_logon_srv, ps, depth)) /* logon server unicode string header */ return False; if(!smb_io_unihdr("unihdr", &usr->hdr_logon_dom, ps, depth)) /* logon domain unicode string header */ return False; if(!prs_uint32("buffer_dom_id ", ps, depth, &usr->buffer_dom_id)) /* undocumented logon domain id pointer */ return False; if(!prs_uint8s (False, "padding ", ps, depth, usr->padding, 40)) /* unused padding bytes? */ return False; if(!prs_uint32("num_other_sids", ps, depth, &usr->num_other_sids)) /* 0 - num_sids */ return False; if(!prs_uint32("buffer_other_sids", ps, depth, &usr->buffer_other_sids)) /* NULL - undocumented pointer to SIDs. */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_user_name, usr->hdr_user_name.buffer, ps, depth)) /* username unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_full_name, usr->hdr_full_name.buffer, ps, depth)) /* user's full name unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_logon_script, usr->hdr_logon_script.buffer, ps, depth)) /* logon script unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_profile_path, usr->hdr_profile_path.buffer, ps, depth)) /* profile path unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_home_dir, usr->hdr_home_dir.buffer, ps, depth)) /* home directory unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_dir_drive, usr->hdr_dir_drive.buffer, ps, depth)) /* home directory drive unicode string */ return False; if(!prs_align(ps)) return False; if(!prs_uint32("num_groups2 ", ps, depth, &usr->num_groups2)) /* num groups */ return False; SMB_ASSERT_ARRAY(usr->gids, usr->num_groups2); for (i = 0; i < usr->num_groups2; i++) { if(!smb_io_gid("", &usr->gids[i], ps, depth)) /* group info */ return False; } if(!smb_io_unistr2("unistr2", &usr->uni_logon_srv, usr->hdr_logon_srv.buffer, ps, depth)) /* logon server unicode string */ return False; if(!smb_io_unistr2("unistr2", &usr->uni_logon_dom, usr->hdr_logon_srv.buffer, ps, depth)) /* logon domain unicode string */ return False; if(!smb_io_dom_sid2("", &usr->dom_sid, ps, depth)) /* domain SID */ return False; SMB_ASSERT_ARRAY(usr->other_sids, usr->num_other_sids); for (i = 0; i < usr->num_other_sids; i++) { if(!smb_io_dom_sid2("", &usr->other_sids[i], ps, depth)) /* other domain SIDs */ return False; } return True; }
BOOL dfs_io_dfs_info_ctr(const char *desc, DFS_INFO_CTR* ctr, uint32 num_entries, uint32 level, prs_struct* ps, int depth) { int i=0; switch(level) { case 1: depth++; /* should depend on whether marshalling or unmarshalling! */ if(UNMARSHALLING(ps)) { ctr->dfs.info1 = (DFS_INFO_1 *)prs_alloc_mem(ps, sizeof(DFS_INFO_1)*num_entries); if (!ctr->dfs.info1) return False; } for(i=0;i<num_entries;i++) { if(!prs_uint32("ptr_entrypath",ps, depth, &ctr->dfs.info1[i].ptr_entrypath)) return False; } for(i=0;i<num_entries;i++) { if(!smb_io_unistr2("", &ctr->dfs.info1[i].entrypath, ctr->dfs.info1[i].ptr_entrypath, ps, depth)) return False; if(!prs_align(ps)) return False; } depth--; break; case 2: depth++; if(UNMARSHALLING(ps)) { ctr->dfs.info2 = (DFS_INFO_2 *)prs_alloc_mem(ps, num_entries*sizeof(DFS_INFO_2)); if (!ctr->dfs.info2) return False; } for(i=0;i<num_entries;i++) { if(!prs_uint32("ptr_entrypath", ps, depth, &ctr->dfs.info2[i].ptr_entrypath)) return False; if(!prs_uint32("ptr_comment", ps, depth, &ctr->dfs.info2[i].ptr_comment)) return False; if(!prs_uint32("state", ps, depth, &ctr->dfs.info2[i].state)) return False; if(!prs_uint32("num_storages", ps, depth, &ctr->dfs.info2[i].num_storages)) return False; } for(i=0;i<num_entries;i++) { if(!smb_io_unistr2("", &ctr->dfs.info2[i].entrypath, ctr->dfs.info2[i].ptr_entrypath, ps, depth)) return False; if(!prs_align(ps)) return False; if(!smb_io_unistr2("",&ctr->dfs.info2[i].comment, ctr->dfs.info2[i].ptr_comment, ps, depth)) return False; if(!prs_align(ps)) return False; } depth--; break; case 3: depth++; if(UNMARSHALLING(ps)) { ctr->dfs.info3 = (DFS_INFO_3 *)prs_alloc_mem(ps, num_entries*sizeof(DFS_INFO_3)); if (!ctr->dfs.info3) return False; } for(i=0;i<num_entries;i++) { if(!prs_uint32("ptr_entrypath", ps, depth, &ctr->dfs.info3[i].ptr_entrypath)) return False; if(!prs_uint32("ptr_comment", ps, depth, &ctr->dfs.info3[i].ptr_comment)) return False; if(!prs_uint32("state", ps, depth, &ctr->dfs.info3[i].state)) return False; if(!prs_uint32("num_storages", ps, depth, &ctr->dfs.info3[i].num_storages)) return False; if(!prs_uint32("ptr_storages", ps, depth, &ctr->dfs.info3[i].ptr_storages)) return False; } for(i=0;i<num_entries;i++) { if(!smb_io_unistr2("", &ctr->dfs.info3[i].entrypath, ctr->dfs.info3[i].ptr_entrypath, ps, depth)) return False; if(!prs_align(ps)) return False; if(!smb_io_unistr2("", &ctr->dfs.info3[i].comment, ctr->dfs.info3[i].ptr_comment, ps, depth)) return False; if(!prs_align(ps)) return False; if(!prs_uint32("num_storage_infos", ps, depth, &ctr->dfs.info3[i].num_storage_infos)) return False; if(!dfs_io_dfs_storage_info("storage_info", &ctr->dfs.info3[i], ps, depth)) return False; } } return True; }
/** Structure of response seems to be: DWORD num_bytes_in_resp -- MUST be the same as q_u->max_read_size for i=0..n EVENTLOGRECORD record DWORD sent_size -- sum of EVENTLOGRECORD lengths if records returned, 0 otherwise DWORD real_size -- 0 if records returned, otherwise length of next record to be returned WERROR status */ BOOL eventlog_io_r_read_eventlog(const char *desc, EVENTLOG_Q_READ_EVENTLOG *q_u, EVENTLOG_R_READ_EVENTLOG *r_u, prs_struct *ps, int depth) { Eventlog_entry *entry; uint32 record_written = 0; uint32 record_total = 0; if(r_u == NULL) return False; prs_debug(ps, depth, desc, "eventlog_io_r_read_eventlog"); depth++; /* First, see if we've read more logs than we can output */ if(r_u->num_bytes_in_resp > q_u->max_read_size) { entry = r_u->entry; /* remove the size of the last entry from the list */ while(entry->next != NULL) entry = entry->next; r_u->num_bytes_in_resp -= entry->record.length; /* do not output the last log entry */ r_u->num_records--; } entry = r_u->entry; record_total = r_u->num_records; if(r_u->num_bytes_in_resp != 0) r_u->sent_size = r_u->num_bytes_in_resp; else r_u->real_size = r_u->bytes_in_next_record; if(!(prs_align(ps))) return False; if(!(prs_uint32("bytes in resp", ps, depth, &(q_u->max_read_size)))) return False; while(entry != NULL && record_written < record_total) { DEBUG(11, ("eventlog_io_r_read_eventlog: writing record [%d] out of [%d].\n", record_written, record_total)); /* Encode the actual eventlog record record */ if(!(prs_uint32("length", ps, depth, &(entry->record.length)))) return False; if(!(prs_uint32("reserved", ps, depth, &(entry->record.reserved1)))) return False; if(!(prs_uint32("record number", ps, depth, &(entry->record.record_number)))) return False; if(!(prs_uint32("time generated", ps, depth, &(entry->record.time_generated)))) return False; if(!(prs_uint32("time written", ps, depth, &(entry->record.time_written)))) return False; if(!(prs_uint32("event id", ps, depth, &(entry->record.event_id)))) return False; if(!(prs_uint16("event type", ps, depth, &(entry->record.event_type)))) return False; if(!(prs_uint16("num strings", ps, depth, &(entry->record.num_strings)))) return False; if(!(prs_uint16("event category", ps, depth, &(entry->record.event_category)))) return False; if(!(prs_uint16("reserved2", ps, depth, &(entry->record.reserved2)))) return False; if(!(prs_uint32("closing record", ps, depth, &(entry->record.closing_record_number)))) return False; if(!(prs_uint32("string offset", ps, depth, &(entry->record.string_offset)))) return False; if(!(prs_uint32("user sid length", ps, depth, &(entry->record.user_sid_length)))) return False; if(!(prs_uint32("user sid offset", ps, depth, &(entry->record.user_sid_offset)))) return False; if(!(prs_uint32("data length", ps, depth, &(entry->record.data_length)))) return False; if(!(prs_uint32("data offset", ps, depth, &(entry->record.data_offset)))) return False; if(!(prs_align(ps))) return False; /* Now encoding data */ if(!(prs_uint8s(False, "buffer", ps, depth, entry->data, entry->record.length - sizeof(Eventlog_record) - sizeof(entry->record.length)))) { return False; } if(!(prs_align(ps))) return False; if(!(prs_uint32("length 2", ps, depth, &(entry->record.length)))) return False; entry = entry->next; record_written++; } /* end of encoding EVENTLOGRECORD */ /* Now pad with whitespace until the end of the response buffer */ if (q_u->max_read_size - r_u->num_bytes_in_resp) { if (!r_u->end_of_entries_padding) { return False; } if(!(prs_uint8s(False, "end of entries padding", ps, depth, r_u->end_of_entries_padding, (q_u->max_read_size - r_u->num_bytes_in_resp)))) { free(r_u->end_of_entries_padding); return False; } free(r_u->end_of_entries_padding); } /* We had better be DWORD aligned here */ if(!(prs_uint32("sent size", ps, depth, &(r_u->sent_size)))) return False; if(!(prs_uint32("real size", ps, depth, &(r_u->real_size)))) return False; if(!(prs_ntstatus("status code", ps, depth, &r_u->status))) return False; return True; }