valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed bug in MULTI_SZ processing (#2439)

Browse Source
This commit is contained in:
Nick Anderson 2016-09-06 16:41:57 -07:00 committed by GitHub
parent 4f6c802c7b
commit 01011f4d0f
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
osquery/tables/system/windows/registry.cpp
View File

@ -174,8 +174,13 @@ void queryKey(const std::string& hive,
DWORD lpData = cbMaxValueData;
DWORD lpType;
LONG dwRes = RegQueryValueEx(
retCode = RegQueryValueEx(
hRegistryHandle, achValue, 0, &lpType, bpDataBuff, &lpData);
if (retCode != ERROR_SUCCESS) {
continue;
}
Row r;
fs::path keyPath(key);
r["hive"] = hive;
@ -187,9 +192,10 @@ void queryKey(const std::string& hive,
} else {
r["type"] = "UNKNOWN";
}
r["mtime"] = std::to_string(filetimeToUnixtime(ftLastWriteTime));
bpDataBuff[cbMaxValueData - 1] = 0x00;
/// REG_LINK is a Unicode string, which in Windows is wchar_t
char* regLinkStr = nullptr;
if (lpType == REG_LINK) {
@ -203,6 +209,7 @@ void queryKey(const std::string& hive,
_TRUNCATE);
}
BYTE* bpDataBuffTmp = bpDataBuff;
std::vector<std::string> multiSzStrs;
std::vector<char> regBinary;
std::string data;
@ -231,12 +238,12 @@ void queryKey(const std::string& hive,
r["data"] = std::string(regLinkStr);
break;
case REG_MULTI_SZ:
while (cnt <= cbMaxValueData) {
std::string s((char*)bpDataBuff);
bpDataBuff += s.size();
while (*bpDataBuffTmp != 0x00) {
std::string s((char*)bpDataBuffTmp);
bpDataBuffTmp += s.size() + 1;
multiSzStrs.push_back(s);
}
r["data"] = boost::algorithm::join(multiSzStrs, "\n\n");
r["data"] = boost::algorithm::join(multiSzStrs, ",");
break;
case REG_NONE:
r["data"] = std::string((char*)bpDataBuff);