Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

972 lines
24 KiB

//Copyright (c) 1998 - 1999 Microsoft Corporation
/*++
Copyright (c) 1998 Citrix Systems
Module Name:
regfix.c
Abstract:
Reads hv (low) level structures in a hive and rewrites the hive structs after applying
ACL fixes. Reads in the hive in block sizes. Scans for and processes security keys.
Extracts the SECURITY_DESCRIPTOR structure form a cell and checks consistency of sizes
of ACEs and ACLs.
Usage: regfix in_filename out_filename
Author:
Maris Kurens (v-marisk (MS), marisk (CTXS)) Apr 1998
Revision History:
Created - Apr 23, 1998
--*/
/*
NOTE: This hive/registry tool does not read the
entire hive into memory, but will read the hive file
on a block by block basis, process each block and
write out the block to a new file using file I/O.
*/
// Include NT headers
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <ntseapi.h>
#include "cmp.h"
#include "regfix.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#define INFILE 0x01
#define OUTFILE 0x02
#define BOTHFILE 0x03
int __cdecl main (int argc, char *argv[]);
void openFile (void);
void closeFile (unsigned which);
void ScanHive (void);
void DoKeySD (IN PCM_KEY_SECURITY Security, IN ULONG CellSize);
void ScanCell (PHCELL Cell, ULONG CellSize);
void DumpSecurityDescriptor (PSECURITY_DESCRIPTOR pSD);
void CtxDumpSid (PSID, PCHAR, PULONG);
void DumpAcl (PACL, PCHAR, PULONG);
void DumpAce (PACE_HEADER, PCHAR, PULONG);
BOOL AreWeRunningTerminalServices(void);
VOID WINAPI ErrorPrintf (int nErrorResourceID, ...);
LPCTSTR inFileName = NULL;
LPCTSTR outFileName = NULL;
HANDLE infilehandle;
HANDLE outfilehandle;
ULONG HiveVersion;
//
// SUMMARY TOTALS
//
ULONG SizeSDData=0;
ULONG NumSDData=0;
ULONG BlockNumb = 0;
ULONG BadACL = 0;
ULONG BadACE = 0;
//---------------------------------------------------------
// Description :
// Basic arg check, arg echo, process calls and result dump
//
// Args :
// if you have to ask ...
//
// Return :
//
//---------------------------------------------------------
int __cdecl main (int argc, char *argv[])
{
//Check if we are running under Terminal Server
if(!AreWeRunningTerminalServices())
{
ErrorPrintf(IDS_ERROR_NOT_TS);
return(1);
}
if (argc < 3)
{
ErrorPrintf (IDS_ERROR_USAGE);
exit (1);
}
inFileName = argv [1];
outFileName = argv [2];
//
// echo the args
//
ErrorPrintf (IDS_WORKING);
//
// open the in and out files
//
openFile ();
//
// and process it
//
ScanHive ();
ErrorPrintf (IDS_DONE);
ErrorPrintf (IDS_SD_NUMBER, NumSDData);
ErrorPrintf (IDS_BAD_ACL_NUMBER, BadACL);
ErrorPrintf (IDS_BAD_ACE_NUMBER, BadACE);
return (0);
}
//---------------------------------------------------------
// Description :
// Closes file handles based on input args
//
// Args :
// which - signals if input or output or both files should be closed
//
// Return : Nothing
//
//---------------------------------------------------------
void closeFile (unsigned which)
{
if (which & INFILE)
{
if (infilehandle != INVALID_HANDLE_VALUE)
{
CloseHandle (infilehandle);
infilehandle = INVALID_HANDLE_VALUE;
}
}
if (which & OUTFILE)
{
if (infilehandle != INVALID_HANDLE_VALUE)
{
CloseHandle (outfilehandle);
outfilehandle = INVALID_HANDLE_VALUE;
}
}
}
//---------------------------------------------------------
// Description :
// Opens input and output files
//
// Args : Nada
//
// Return : Nada
//
//---------------------------------------------------------
void openFile (void)
{
//
// open the input file
//
infilehandle = CreateFile (inFileName, GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
if (infilehandle == INVALID_HANDLE_VALUE)
{
fprintf (stderr,
"regfix: Could not open file '%s' error = %08lx\n",
inFileName, GetLastError());
exit(1);
}
//
// open the output file
//
outfilehandle = CreateFile (outFileName, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,
CREATE_ALWAYS, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
if (outfilehandle == INVALID_HANDLE_VALUE)
{
closeFile (INFILE);
fprintf (stderr,
"hivestat: Could not create file '%s' error = %08lx\n",
outFileName, GetLastError());
exit(1);
}
}
//---------------------------------------------------------
// Description :
// Scan the hive, looking for security cells. Load the
// hive block by block and write each block to the output
// file after processing it.
//
// Args : None
//
// Return : Nyet
//
//---------------------------------------------------------
void ScanHive (void)
{
static char buffer[HBLOCK_SIZE];
PHBASE_BLOCK bbp;
BOOL rf;
BOOL wf;
ULONG readcount;
ULONG writecount;
ULONG hivelength;
ULONG hiveposition;
PHCELL cp;
PHCELL guard;
PHBIN hbp;
ULONG hoff;
ULONG binread;
ULONG binsize;
ULONG cellsize;
ULONG boff;
ULONG lboff;
ULONG SizeTotal;
//
// read the header
//
rf = ReadFile (infilehandle, buffer, HBLOCK_SIZE, &readcount, NULL);
if ((!rf) || (readcount != HBLOCK_SIZE) )
{
closeFile (BOTHFILE);
fprintf (stderr, "regfix: '%s' - cannot read base block!\n", inFileName);
exit(1);
}
BlockNumb++;
bbp = (PHBASE_BLOCK)(&(buffer[0]));
if ((bbp->Major != HSYS_MAJOR) ||
(bbp->Minor > HSYS_MINOR))
{
closeFile (BOTHFILE);
fprintf(stderr,
"hivestat: major/minor != %d/%d get newer hivestat\n",
HSYS_MAJOR, HSYS_MINOR
);
exit(1);
}
HiveVersion = bbp->Minor;
hivelength = bbp->Length + HBLOCK_SIZE;
hiveposition = HBLOCK_SIZE;
hoff = 0;
//
// scan the hive
//
guard = (PHCELL)(&(buffer[0]) + HBLOCK_SIZE);
wf = WriteFile (outfilehandle, buffer, HBLOCK_SIZE, &writecount, NULL);
if ((!wf) || (writecount != HBLOCK_SIZE) )
{
closeFile (BOTHFILE);
fprintf (stderr, "regfix: '%s' - cannot write base block!\n", outFileName);
exit(1);
}
//
// hiveposition is file relative offset of next block we will read
//
// hoff is the file relative offset of the last block we read
//
// hivelength is actual length of file (header's recorded length plus
// the size of the header.
//
// cp is pointer into memory, within range of buffer, it's a cell pointer
//
while (hiveposition < hivelength)
{
//
// read in first block of bin, check signature, determine key type
//
rf = ReadFile (infilehandle, buffer, HBLOCK_SIZE, &readcount, NULL);
if ((! rf) || (readcount != HBLOCK_SIZE))
{
closeFile (BOTHFILE);
fprintf (stderr, "hivestat: '%s' read error @%08lx\n", inFileName, hiveposition);
exit (1);
}
BlockNumb++;
hbp = (PHBIN)(&(buffer[0]));
if (hbp->Signature != HBIN_SIGNATURE)
{
closeFile (BOTHFILE);
fprintf(stderr,
"hivestat: '%s' bad bin sign. @%08lx\n", inFileName, hiveposition);
exit(1);
}
hiveposition += HBLOCK_SIZE;
hoff += HBLOCK_SIZE;
ASSERT (hoff+HBLOCK_SIZE == hiveposition);
binsize = hbp->Size;
//
// scan the bin
//
// cp = pointer to cell we are looking at
// boff = offset within bin
// lboff = last offset within bin, used only for consistency checks
// binread = number of bytes of bin we've read so far
//
cp = (PHCELL)((PUCHAR)hbp + sizeof(HBIN));
boff = sizeof(HBIN);
lboff = (ULONG)-1;
binread = HBLOCK_SIZE;
while (binread <= binsize)
{
//
// if free, update pointer only
// else scan it
//
if (cp->Size > 0)
{
cellsize = cp->Size;
}
else
{
cellsize = -1 * cp->Size;
ScanCell (cp, cellsize);
}
//
// do basic consistency check
//
#if 0
if (cp->Last != lboff) {
printf("e!,x%08lx bad LAST pointer %08lx\n",
hoff+((PUCHAR)cp - &(buffer[0])), cp->Last);
}
#endif
//
// advance to next cell
//
lboff = boff;
cp = (PHCELL)((PUCHAR)cp + cellsize);
boff += cellsize;
//
// scan ahead in bin, if cp has reached off end of block,
// AND there's bin left to read.
// do this BEFORE breaking out for boff at end.
//
while ((cp >= guard) && (binread < binsize))
{
// write out the currently loaded block
wf = WriteFile (outfilehandle, buffer, HBLOCK_SIZE, &writecount, NULL);
if ((!wf) || (writecount != HBLOCK_SIZE) )
{
closeFile (BOTHFILE);
fprintf (stderr, "regfix: '%s' - cannot write block %d!\n", BlockNumb, outFileName);
exit(1);
}
rf = ReadFile(infilehandle, buffer, HBLOCK_SIZE, &readcount, NULL);
if ((!rf) || (readcount != HBLOCK_SIZE))
{
closeFile (BOTHFILE);
fprintf(stderr, "hivestat: '%s' read error @%08lx\n", inFileName, hiveposition);
exit(1);
}
BlockNumb++;
cp = (PHCELL)((PUCHAR)cp - HBLOCK_SIZE);
hiveposition += HBLOCK_SIZE;
hoff += HBLOCK_SIZE;
binread += HBLOCK_SIZE;
ASSERT (hoff+HBLOCK_SIZE == hiveposition);
}
if (boff >= binsize)
{
break; // we are done with this bin
}
}
wf = WriteFile (outfilehandle, buffer, HBLOCK_SIZE, &writecount, NULL);
if ((!wf) || (writecount != HBLOCK_SIZE) )
{
closeFile (BOTHFILE);
fprintf (stderr, "regfix: '%s' - cannot write block %d!\n", BlockNumb, outFileName);
exit(1);
}
}
return;
}
//---------------------------------------------------------
// Description :
// Given a pointer to an HCELL, check the SD type cell signature
// If it is pass to the SD processing routines.
// Note : framework is in place to handle other cell types
//
// Args :
// Cell - Supplies a pointer to the HCELL
//
// CellSize - Supplies the size of the HCELL
//
// Return : Nothing
//
//---------------------------------------------------------
void ScanCell (IN PHCELL Cell, IN ULONG CellSize)
{
PCELL_DATA Data;
if (HiveVersion==1)
{
Data = (PCELL_DATA)&Cell->u.OldCell.u.UserData;
}
else
{
Data = (PCELL_DATA)&Cell->u.NewCell.u.UserData;
}
//
// grovel through the data, see if we can find the SD keys
//
if ((Data->u.KeyNode.Signature == CM_KEY_NODE_SIGNATURE) &&
(CellSize > sizeof(CM_KEY_NODE)))
{
//
// probably a key node
//
return;
}
else if ((Data->u.KeyValue.Signature == CM_KEY_VALUE_SIGNATURE) &&
(CellSize > sizeof(CM_KEY_VALUE)))
{
//
// probably a key value
//
return;
}
else if ((Data->u.KeySecurity.Signature == CM_KEY_SECURITY_SIGNATURE) &&
(CellSize > sizeof(CM_KEY_SECURITY)))
{
//
// probably a security descriptor
//
DoKeySD (&Data->u.KeySecurity, CellSize);
}
else if ((Data->u.KeyIndex.Signature == CM_KEY_INDEX_ROOT) ||
(Data->u.KeyIndex.Signature == CM_KEY_INDEX_LEAF))
{
//
// probably a key index
//
return;
}
else
{
//
// Nothing with a signature, could be either
// name
// key list
// value data
//
return;
}
}
//---------------------------------------------------------
// Description :
// Expects an SD cell pointer. Extracts the SD descriptor
// and passes it on for further processing
//
// Args :
// Security - Pointer to PCM_KEY_SECURITY type cell
//
// CellSize - size of the HCELL
//
// Return : Nothing
//
//---------------------------------------------------------
void DoKeySD (IN PCM_KEY_SECURITY Security, IN ULONG CellSize)
{
PSECURITY_DESCRIPTOR pSD;
SizeSDData += CellSize;
NumSDData++;
pSD = &Security->Descriptor;
DumpSecurityDescriptor (pSD);
}
//---------------------------------------------------------
// ** The following routines are hacks of the dumpsd
// ** lib code in private\citrix\syslib
// ** This util can easily be modified as a standalone
// ** utility for a variety of hive security processing
//---------------------------------------------------------
//---------------------------------------------------------
// Description :
// Unfolds an SD descriptor passing SID and ACL pointers
// for further processing
//
// Args :
// pSD - Pointer to SECURITY_DESCRIPTOR structure
//
// Return : Nothing
//
//---------------------------------------------------------
void DumpSecurityDescriptor (PSECURITY_DESCRIPTOR pSD)
{
PISECURITY_DESCRIPTOR p = (PISECURITY_DESCRIPTOR)pSD;
PSID pSid;
PACL pAcl;
PCHAR pTmp;
ULONG Size;
/*
DbgPrint ("DUMP_SECURITY_DESCRIPTOR: Revision %d, Sbz1 %d, Control 0x%x\n",
p->Revision, p->Sbz1, p->Control );
if (p->Control & SE_SELF_RELATIVE )
{
DbgPrint("Self Relative\n");
}
DbgPrint("PSID Owner 0x%x\n",p->Owner);
*/
// If this is self relative, must offset the pointers
if( p->Owner != NULL )
{
if (p->Control & SE_SELF_RELATIVE)
{
pTmp = (PCHAR)pSD;
pTmp += (ULONG)p->Owner;
CtxDumpSid ((PSID)pTmp, (PCHAR)p, &Size );
}
else
{
// can reference it directly
CtxDumpSid (p->Owner, (PCHAR)p, &Size );
}
}
/*
DbgPrint("PSID Group 0x%x\n",p->Group);
*/
// If this is self relative, must offset the pointers
if (p->Group != NULL)
{
if (p->Control & SE_SELF_RELATIVE)
{
pTmp = (PCHAR)pSD;
pTmp += (ULONG)p->Group;
CtxDumpSid( (PSID)pTmp, (PCHAR)p, &Size );
}
else
{
// can reference it directly
CtxDumpSid( p->Group, (PCHAR)p, &Size );
}
}
// DbgPrint("\n");
// DbgPrint("PACL Sacl 0x%x\n",p->Sacl);
// If this is self relative, must offset the pointers
if (p->Sacl != NULL)
{
if (p->Control & SE_SELF_RELATIVE)
{
pTmp = (PCHAR)pSD;
pTmp += (ULONG)p->Sacl;
DumpAcl( (PSID)pTmp, (PCHAR)p, &Size );
}
else
{
// can reference it directly
DumpAcl (p->Sacl, (PCHAR)p, &Size);
}
}
// DbgPrint("\n");
// DbgPrint ("PACL Dacl 0x%x\n",p->Dacl);
// If this is self relative, must offset the pointers
if (p->Dacl != NULL)
{
if (p->Control & SE_SELF_RELATIVE)
{
pTmp = (PCHAR)pSD;
pTmp += (ULONG)p->Dacl;
DumpAcl( (PSID)pTmp, (PCHAR)p, &Size );
}
else
{
// can reference it directly
DumpAcl( p->Dacl, (PCHAR)p, &Size );
}
}
}
//---------------------------------------------------------
// Description :
// Examine an SD descriptor for subauthority and owner
// info
//
// Args :
// pSid - Pointer to SID structure
// pBase - not used (kept for historical reasons)
// pSize - holds the SID size on return
//
// Return : Nothing
//
//---------------------------------------------------------
void CtxDumpSid (
PSID pSid,
PCHAR pBase,
PULONG pSize)
{
PISID p;
ULONG i;
BOOL OK;
DWORD szUserName;
DWORD szDomain;
SID_NAME_USE UserSidType;
WCHAR UserName[256];
WCHAR Domain[256];
ULONG Size = 0;
p = (PISID)pSid;
// DbgPrint("Revision %d, SubAuthorityCount %d\n", p->Revision, p->SubAuthorityCount);
Size += 2; // Revision, SubAuthorityCount
/*
DbgPrint("IdentifierAuthority: %x %x %x %x %x %x\n",
p->IdentifierAuthority.Value[0],
p->IdentifierAuthority.Value[1],
p->IdentifierAuthority.Value[2],
p->IdentifierAuthority.Value[3],
p->IdentifierAuthority.Value[4],
p->IdentifierAuthority.Value[5] );
*/
Size += 6; // IdentifierAuthority
for (i=0; i < p->SubAuthorityCount; i++)
{
// DbgPrint("SubAuthority[%d] 0x%x\n", i, p->SubAuthority[i]);
Size += sizeof(ULONG);
}
if (pSize)
{
*pSize = Size;
}
szUserName = sizeof (UserName);
szDomain = sizeof (Domain);
// Now print its account
/*
OK = LookupAccountSidW (
NULL, // Computer Name
pSid,
UserName,
&szUserName,
Domain,
&szDomain,
&UserSidType);
*/
// if (OK)
// {
// DbgPrint("Account Name %ws, Domain %ws, Type %d, SidSize %d\n",UserName,Domain,UserSidType,Size);
// }
// else
// {
// DbgPrint("Error looking up account name %d, SizeSid %d\n",GetLastError(),Size);
// }
}
//---------------------------------------------------------
// Description :
// Unfolds an ACL dumping all the ACEs in the process
// checking consistency by tracking the actual size
//
// Args :
// pAcl - Pointer to ACL structure
// pBase - not used (kept for historical reasons)
// pSize - holds the size on return
//
// Return : Nothing
//
//---------------------------------------------------------
void DumpAcl (PACL pAcl, PCHAR pBase, PULONG pSize)
{
USHORT i;
PCHAR pTmp;
ULONG Size, MySize;
PACL p = pAcl;
PCHAR pCur = (PCHAR)pAcl;
MySize = 0;
// DbgPrint ("AclRevision %d, Sbz1 %d, AclSize %d, AceCount %d, Sbz2 %d\n",
// p->AclRevision, p->Sbz1, p->AclSize, p->AceCount, p->Sbz2);
// bump over the ACL header to point to the first ACE
pCur += sizeof (ACL);
MySize += sizeof (ACL);
for (i=0; i < p->AceCount; i++)
{
DumpAce ((PACE_HEADER)pCur, pBase, &Size );
pCur += Size;
MySize += Size;
}
// ACL consistency check
if( p->AclSize != MySize )
{
//
// HACK!HACK!HACK!
// |
// |
// |
// v
if (p->AclSize == 1023) // This hack is in response to MS bug #1607. The hive load fails on ACL
{ // size alignment check. The sw hive file that causes this problem has
p->AclSize = 1024; // about 3k SD entries of ACL size 1023. This hack adjusts this.
}
// ^
// |
// |
// |
// |
// HACK!HACK!HACK!
// DbgPrint("Inconsistent ACL Entry! p->AclSize %d, RealSize %d\n",p->AclSize,MySize);
// p->AclSize = MySize;
BadACL++;
}
// return the size of this ACL
*pSize = MySize;
return;
}
//---------------------------------------------------------
// Description :
// Unfolds an ACE descriptor checking consistency by
// tracking the actual size
//
// Args :
// pAce - Pointer to ACE structure
// pBase - not used (kept for historical reasons)
// pSize - holds the size on return
//
// Return : Nothing
//
//---------------------------------------------------------
void DumpAce (PACE_HEADER pAce,
PCHAR pBase,
PULONG pSize)
{
PACE_HEADER p = pAce;
PACCESS_ALLOWED_ACE pAl;
PACCESS_DENIED_ACE pAd;
PSYSTEM_AUDIT_ACE pSa;
PSYSTEM_ALARM_ACE pSl;
PCHAR pTmp;
ULONG MySize, Size, saveSize;
// DbgPrint ("ACE_HEADER: Type %d, Flags 0x%x, Size %d\n",
// p->AceType, p->AceFlags, p->AceSize );
switch (p->AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
pAl = (PACCESS_ALLOWED_ACE)p;
// DbgPrint("ACCESS_ALLOWED_ACE: AccessMask 0x%x, Sid 0x%x\n",pAl->Mask,pAl->SidStart);
MySize = sizeof(ACCESS_ALLOWED_ACE);
if (pAl->SidStart)
{
pTmp = (PCHAR)&pAl->SidStart;
CtxDumpSid( (PSID)pTmp, pBase, &Size );
MySize += Size;
// Adjust for the first ULONG of the ACE
// being part of the Sid
MySize -= sizeof(ULONG);
}
break;
case ACCESS_DENIED_ACE_TYPE:
pAd = (PACCESS_DENIED_ACE)p;
// DbgPrint("ACCESS_DENIED_ACE: AccessMask 0x%x, Sid 0x%x\n",pAd->Mask,pAd->SidStart);
MySize = sizeof(ACCESS_DENIED_ACE);
if (pAd->SidStart)
{
pTmp = (PCHAR)&pAd->SidStart;
CtxDumpSid( (PSID)pTmp, pBase, &Size );
MySize += Size;
// Adjust for the first ULONG of the ACE
// being part of the Sid
MySize -= sizeof(ULONG);
}
break;
case SYSTEM_AUDIT_ACE_TYPE:
pSa = (PSYSTEM_AUDIT_ACE)p;
// DbgPrint("SYSTEM_AUDIT_ACE: AccessMask 0x%x, Sid 0x%x\n",pSa->Mask,pSa->SidStart);
MySize = sizeof(SYSTEM_AUDIT_ACE);
if ( pSa->SidStart )
{
pTmp = (PCHAR)&pSa->SidStart;
CtxDumpSid( (PSID)pTmp, pBase, &Size );
MySize += Size;
// Adjust for the first ULONG of the ACE
// being part of the Sid
MySize -= sizeof(ULONG);
}
break;
case SYSTEM_ALARM_ACE_TYPE:
pSl = (PSYSTEM_ALARM_ACE)p;
// DbgPrint("SYSTEM_ALARM_ACE: AccessMask 0x%x, Sid 0x%x\n",pSl->Mask,pSl->SidStart);
MySize = sizeof(SYSTEM_ALARM_ACE);
if (pSl->SidStart)
{
pTmp = (PCHAR)&pSl->SidStart;
CtxDumpSid( (PSID)pTmp, pBase, &Size );
MySize += Size;
// Adjust for the first ULONG of the ACE
// being part of the Sid
MySize -= sizeof(ULONG);
}
break;
default:
break;
// DbgPrint("Unknown ACE type %d\n", p->AceType);
}
saveSize = p->AceSize;
// Check its consistency
if ( p->AceSize != MySize )
{
// DbgPrint("Inconsistent ACE Entry! p->AceSize %d, RealSize %d\n",p->AceSize,MySize);
// p->AceSize = MySize;
BadACE++;
}
// return the size so the caller can update the pointer
// *pSize = p->AceSize;
*pSize = saveSize;
// DbgPrint("\n");
return;
}
/*******************************************************************************
*
* AreWeRunningTerminalServices
*
* Check if we are running terminal server
*
* ENTRY:
*
* EXIT: BOOL: True if we are running Terminal Services False if we
* are not running Terminal Services
*
*
******************************************************************************/
BOOL AreWeRunningTerminalServices(void)
{
OSVERSIONINFOEX osVersionInfo;
DWORDLONG dwlConditionMask = 0;
ZeroMemory(&osVersionInfo, sizeof(OSVERSIONINFOEX));
osVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
osVersionInfo.wSuiteMask = VER_SUITE_TERMINAL;
VER_SET_CONDITION( dwlConditionMask, VER_SUITENAME, VER_AND );
return VerifyVersionInfo(
&osVersionInfo,
VER_SUITENAME,
dwlConditionMask
);
}