Status FileEventSubscriber::Callback(const INotifyEventContextRef& ec, const void* user_data) { Row r; r["action"] = ec->action; r["target_path"] = ec->path; if (user_data != nullptr) { r["category"] = *(std::string*)user_data; } else { r["category"] = "Undefined"; } r["transaction_id"] = INTEGER(ec->event->cookie); if (ec->action == "CREATED" || ec->action == "UPDATED") { r["md5"] = hashFromFile(HASH_TYPE_MD5, ec->path); r["sha1"] = hashFromFile(HASH_TYPE_SHA1, ec->path); r["sha256"] = hashFromFile(HASH_TYPE_SHA256, ec->path); } if (ec->action != "" && ec->action != "OPENED") { // A callback is somewhat useless unless it changes the EventSubscriber // state or calls `add` to store a marked up event. add(r, ec->time); } return Status(0, "OK"); }
Status FileEventSubscriber::Callback(const FSEventsEventContextRef& ec, const void* user_data) { Row r; r["action"] = ec->action; r["time"] = ec->time_string; r["target_path"] = ec->path; if (user_data != nullptr) { r["category"] = *(std::string*)user_data; } else { r["category"] = "Undefined"; } r["transaction_id"] = INTEGER(ec->transaction_id); r["md5"] = hashFromFile(HASH_TYPE_MD5, ec->path); r["sha1"] = hashFromFile(HASH_TYPE_SHA1, ec->path); r["sha256"] = hashFromFile(HASH_TYPE_SHA256, ec->path); if (ec->action != "") { add(r, ec->time); } return Status(0, "OK"); }
Status Carver::compress(const std::set<boost::filesystem::path>& paths) { auto arch = archive_write_new(); if (arch == nullptr) { return Status(1, "Failed to create tar archive"); } // Zipping doesn't seem to be working currently // archive_write_set_format_zip(arch); archive_write_set_format_pax_restricted(arch); auto ret = archive_write_open_filename(arch, archivePath_.string().c_str()); if (ret == ARCHIVE_FATAL) { archive_write_free(arch); return Status(1, "Failed to open tar archive for writing"); } for (const auto& f : paths) { PlatformFile pFile(f.string(), PF_OPEN_EXISTING | PF_READ); auto entry = archive_entry_new(); archive_entry_set_pathname(entry, f.leaf().string().c_str()); archive_entry_set_size(entry, pFile.size()); archive_entry_set_filetype(entry, AE_IFREG); archive_entry_set_perm(entry, 0644); // archive_entry_set_atime(); // archive_entry_set_ctime(); // archive_entry_set_mtime(); archive_write_header(arch, entry); // TODO: Chunking or a max file size. std::ifstream in(f.string(), std::ios::binary); std::stringstream buffer; buffer << in.rdbuf(); archive_write_data(arch, buffer.str().c_str(), buffer.str().size()); in.close(); archive_entry_free(entry); } archive_write_free(arch); PlatformFile archFile(archivePath_.string(), PF_OPEN_EXISTING | PF_READ); updateCarveValue(carveGuid_, "size", std::to_string(archFile.size())); updateCarveValue( carveGuid_, "sha256", hashFromFile(HashType::HASH_TYPE_SHA256, archivePath_.string())); return Status(0, "Ok"); };
TEST_F(HashTests, test_file_hashing) { auto digest = hashFromFile(HASH_TYPE_MD5, kTestDataPath + "test_hashing.bin"); EXPECT_EQ(digest, "88ee11f2aa7903f34b8b8785d92208b1"); }
QueryData genKernelInfo(QueryContext& context) { QueryData results; mach_port_t master_port; auto kr = IOMasterPort(bootstrap_port, &master_port); if (kr != KERN_SUCCESS) { VLOG(1) << "Could not get the IOMaster port"; return {}; } // NVRAM registry entry is :/options. auto chosen = IORegistryEntryFromPath(master_port, kIODTChosenPath_); if (chosen == 0) { VLOG(1) << "Could not get IOKit boot device"; return {}; } // Parse the boot arguments, usually none. CFMutableDictionaryRef properties; kr = IORegistryEntryCreateCFProperties( chosen, &properties, kCFAllocatorDefault, 0); IOObjectRelease(chosen); if (kr != KERN_SUCCESS) { VLOG(1) << "Could not get IOKit boot device properties"; return {}; } Row r; CFTypeRef property; if (CFDictionaryGetValueIfPresent( properties, CFSTR("boot-args"), &property)) { r["arguments"] = stringFromCFData((CFDataRef)property); } if (CFDictionaryGetValueIfPresent( properties, CFSTR("boot-device-path"), &property)) { r["device"] = getCanonicalEfiDevicePath((CFDataRef)property); } if (CFDictionaryGetValueIfPresent( properties, CFSTR("boot-file"), &property)) { r["path"] = stringFromCFData((CFDataRef)property); boost::trim(r["path"]); } // No longer need chosen properties. CFRelease(properties); // The kernel version, signature, and build information is stored in Root. auto root = IORegistryGetRootEntry(master_port); if (root != 0) { property = (CFDataRef)IORegistryEntryCreateCFProperty( root, CFSTR(kIOKitBuildVersionKey), kCFAllocatorDefault, 0); if (property != nullptr) { // The version is in the form: // Darwin Kernel Version VERSION: DATE; root:BUILD/TAG auto signature = stringFromCFString((CFStringRef)property); CFRelease(property); r["version"] = signature.substr(22, signature.find(":") - 22); } } // With the path and device, try to locate the on-disk kernel if (r.count("path") > 0) { // This does not use the device path, potential invalidation. r["md5"] = hashFromFile(HASH_TYPE_MD5, "/" + r["path"]); } results.push_back(r); return results; }