Status FileEventSubscriber::Callback(const INotifyEventContextRef& ec,
const void* user_data) {
Row r;
r["action"] = ec->action;
r["target_path"] = ec->path;
if (user_data != nullptr) {
r["category"] = *(std::string*)user_data;
} else {
r["category"] = "Undefined";
}
r["transaction_id"] = INTEGER(ec->event->cookie);
if (ec->action == "CREATED" || ec->action == "UPDATED") {
r["md5"] = hashFromFile(HASH_TYPE_MD5, ec->path);
r["sha1"] = hashFromFile(HASH_TYPE_SHA1, ec->path);
r["sha256"] = hashFromFile(HASH_TYPE_SHA256, ec->path);
}
if (ec->action != "" && ec->action != "OPENED") {
// A callback is somewhat useless unless it changes the EventSubscriber
// state or calls `add` to store a marked up event.
add(r, ec->time);
}
return Status(0, "OK");
}
Status FileEventSubscriber::Callback(const FSEventsEventContextRef& ec,
const void* user_data) {
Row r;
r["action"] = ec->action;
r["time"] = ec->time_string;
r["target_path"] = ec->path;
if (user_data != nullptr) {
r["category"] = *(std::string*)user_data;
} else {
r["category"] = "Undefined";
}
r["transaction_id"] = INTEGER(ec->transaction_id);
r["md5"] = hashFromFile(HASH_TYPE_MD5, ec->path);
r["sha1"] = hashFromFile(HASH_TYPE_SHA1, ec->path);
r["sha256"] = hashFromFile(HASH_TYPE_SHA256, ec->path);
if (ec->action != "") {
add(r, ec->time);
}
return Status(0, "OK");
}
Status Carver::compress(const std::set<boost::filesystem::path>& paths) {
auto arch = archive_write_new();
if (arch == nullptr) {
return Status(1, "Failed to create tar archive");
}
// Zipping doesn't seem to be working currently
// archive_write_set_format_zip(arch);
archive_write_set_format_pax_restricted(arch);
auto ret = archive_write_open_filename(arch, archivePath_.string().c_str());
if (ret == ARCHIVE_FATAL) {
archive_write_free(arch);
return Status(1, "Failed to open tar archive for writing");
}
for (const auto& f : paths) {
PlatformFile pFile(f.string(), PF_OPEN_EXISTING | PF_READ);
auto entry = archive_entry_new();
archive_entry_set_pathname(entry, f.leaf().string().c_str());
archive_entry_set_size(entry, pFile.size());
archive_entry_set_filetype(entry, AE_IFREG);
archive_entry_set_perm(entry, 0644);
// archive_entry_set_atime();
// archive_entry_set_ctime();
// archive_entry_set_mtime();
archive_write_header(arch, entry);
// TODO: Chunking or a max file size.
std::ifstream in(f.string(), std::ios::binary);
std::stringstream buffer;
buffer << in.rdbuf();
archive_write_data(arch, buffer.str().c_str(), buffer.str().size());
in.close();
archive_entry_free(entry);
}
archive_write_free(arch);
PlatformFile archFile(archivePath_.string(), PF_OPEN_EXISTING | PF_READ);
updateCarveValue(carveGuid_, "size", std::to_string(archFile.size()));
updateCarveValue(
carveGuid_,
"sha256",
hashFromFile(HashType::HASH_TYPE_SHA256, archivePath_.string()));
return Status(0, "Ok");
};
TEST_F(HashTests, test_file_hashing) {
auto digest = hashFromFile(HASH_TYPE_MD5, kTestDataPath + "test_hashing.bin");
EXPECT_EQ(digest, "88ee11f2aa7903f34b8b8785d92208b1");
}
QueryData genKernelInfo(QueryContext& context) {
QueryData results;
mach_port_t master_port;
auto kr = IOMasterPort(bootstrap_port, &master_port);
if (kr != KERN_SUCCESS) {
VLOG(1) << "Could not get the IOMaster port";
return {};
}
// NVRAM registry entry is :/options.
auto chosen = IORegistryEntryFromPath(master_port, kIODTChosenPath_);
if (chosen == 0) {
VLOG(1) << "Could not get IOKit boot device";
return {};
}
// Parse the boot arguments, usually none.
CFMutableDictionaryRef properties;
kr = IORegistryEntryCreateCFProperties(
chosen, &properties, kCFAllocatorDefault, 0);
IOObjectRelease(chosen);
if (kr != KERN_SUCCESS) {
VLOG(1) << "Could not get IOKit boot device properties";
return {};
}
Row r;
CFTypeRef property;
if (CFDictionaryGetValueIfPresent(
properties, CFSTR("boot-args"), &property)) {
r["arguments"] = stringFromCFData((CFDataRef)property);
}
if (CFDictionaryGetValueIfPresent(
properties, CFSTR("boot-device-path"), &property)) {
r["device"] = getCanonicalEfiDevicePath((CFDataRef)property);
}
if (CFDictionaryGetValueIfPresent(
properties, CFSTR("boot-file"), &property)) {
r["path"] = stringFromCFData((CFDataRef)property);
boost::trim(r["path"]);
}
// No longer need chosen properties.
CFRelease(properties);
// The kernel version, signature, and build information is stored in Root.
auto root = IORegistryGetRootEntry(master_port);
if (root != 0) {
property = (CFDataRef)IORegistryEntryCreateCFProperty(
root, CFSTR(kIOKitBuildVersionKey), kCFAllocatorDefault, 0);
if (property != nullptr) {
// The version is in the form:
// Darwin Kernel Version VERSION: DATE; root:BUILD/TAG
auto signature = stringFromCFString((CFStringRef)property);
CFRelease(property);
r["version"] = signature.substr(22, signature.find(":") - 22);
}
}
// With the path and device, try to locate the on-disk kernel
if (r.count("path") > 0) {
// This does not use the device path, potential invalidation.
r["md5"] = hashFromFile(HASH_TYPE_MD5, "/" + r["path"]);
}
results.push_back(r);
return results;
}
