/* Returns 0 on success and 1 on error */
uint8_t
tsk_fs_fls(TSK_FS_INFO * fs, TSK_FS_FLS_FLAG_ENUM lclflags,
TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, TSK_TCHAR * tpre,
int32_t skew)
{
FLS_DATA data;
data.flags = lclflags;
data.sec_skew = skew;
#ifdef TSK_WIN32
{
size_t clen;
UTF8 *ptr8;
UTF16 *ptr16;
int retval;
if ((tpre != NULL) && (TSTRLEN(tpre) > 0)) {
clen = TSTRLEN(tpre) * 4;
data.macpre = (char *) tsk_malloc(clen);
if (data.macpre == NULL) {
return 1;
}
ptr8 = (UTF8 *) data.macpre;
ptr16 = (UTF16 *) tpre;
retval =
tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
& ptr16[TSTRLEN(tpre) + 1], &ptr8,
(UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
if (retval != TSKconversionOK) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNICODE);
tsk_error_set_errstr
("Error converting fls mactime pre-text to UTF-8 %d\n",
retval);
return 1;
}
}
else {
data.macpre = (char *) tsk_malloc(1);
if (data.macpre == NULL) {
return 1;
}
data.macpre[0] = '\0';
}
retval = tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);
free(data.macpre);
data.macpre = NULL;
return retval;
}
#else
data.macpre = tpre;
return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);
#endif
}
/**
* @param db_path Path to DB, which probably does not exist. But it gets passed in because we need
* it in a bunch of places.
* @param idx_path Path to index file (should be superset of db_path)
*/
TSK_HDB_INFO *idxonly_open(const TSK_TCHAR *db_path, const TSK_TCHAR *idx_path)
{
TSK_HDB_BINSRCH_INFO *hdb_binsrch_info = NULL;
TSK_TCHAR *ext;
TSK_HDB_HTYPE_ENUM htype;
hdb_binsrch_info = hdb_binsrch_open(NULL, db_path);
if (NULL == hdb_binsrch_info) {
return NULL;
}
hdb_binsrch_info->base.db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
// open the index
ext = TSTRRCHR(idx_path, _TSK_T('-'));
if (ext == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("idxonly_open: invalid file name (no extension): %" PRIttocTSK, idx_path);
return NULL;
}
else if ((TSTRLEN(ext) == 8) && (TSTRICMP(ext, _TSK_T("-md5.idx")) == 0)) {
htype = TSK_HDB_HTYPE_MD5_ID;
}
else if ((TSTRLEN(ext) == 9) && (TSTRICMP(ext, _TSK_T("-sha1.idx")) == 0)) {
htype = TSK_HDB_HTYPE_SHA1_ID;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("idxonly_open: invalid file name (unknown extension): %" PRIttocTSK, idx_path);
return NULL;
}
if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, htype)) {
return NULL;
}
if (idxonly_name(hdb_binsrch_info)) {
hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
return NULL;
}
hdb_binsrch_info->base.get_db_path = idxonly_get_db_path;
hdb_binsrch_info->get_entry = idxonly_getentry;
// Before returning, do one final check that we'll be able to open
// the index file
if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, hdb_binsrch_info->hash_type)) {
hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
return NULL;
}
return (TSK_HDB_INFO*)hdb_binsrch_info;
}
int carving_hive(TCHAR * path, TSK_FS_INFO *fs, TSK_INUM_T inode)
{
char buf[0x2000];
memset(buf, 0, 0x2000);
WideCharToMultiByte(CP_ACP, 0, path, TSTRLEN(path) , buf, TSTRLEN(path) , NULL, NULL);
if(tsk_fs_path2inum(fs, buf, &inode, NULL)){
tsk_error_print(stderr);
return 0;
}
if(hive_extract(fs, inode, TSK_FS_ATTR_TYPE_DEFAULT, NULL, NULL,NULL, (TSK_FS_FILE_WALK_FLAG_ENUM) 0))
return 0;
return 1;
}
/**
* \ingroup hashdblib
* Sets hash database name in hdb_info based on database file path.
* @param hdb_info Struct representation of an open hash database.
*/
void
hdb_base_db_name_from_path(TSK_HDB_INFO *hdb_info)
{
#ifdef TSK_WIN32
const char PATH_CHAR = '\\';
#else
const char PATH_CHAR = '/';
#endif
TSK_TCHAR * begin;
TSK_TCHAR * end;
int i;
hdb_info->db_name[0] = '\0';
begin = TSTRRCHR(hdb_info->db_fname, PATH_CHAR);
#ifdef TSK_WIN32
// cygwin can have forward slashes, so try that too on Windows
if (!begin) {
begin = TSTRRCHR(hdb_info->db_fname, '/');
}
#endif
if (!begin) {
begin = hdb_info->db_fname;
}
else {
// unlikely since this means that the dbname is "/"
if (TSTRLEN(begin) == 1)
return;
else
begin++;
}
// end points to the byte after the last one we want to use
if ((TSTRLEN(hdb_info->db_fname) > 4) && (TSTRICMP(&hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4], _TSK_T(".idx")) == 0))
end = &hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4];
else
end = begin + TSTRLEN(begin);
// @@@ This only works for file names with Latin characters. It may need
// to be fixed some day. Leave it be for now.
for(i = 0; i < (end-begin); i++)
{
hdb_info->db_name[i] = (char) begin[i];
}
hdb_info->db_name[i] = '\0';
}
/**
* \ingroup baselib
* Parse a TSK_TCHAR block address string.
* Note that the cnt\@size format is no longer supported.
* Set the device sector size in img_open to set the block size.
*
* @param [in] a_offset_str The string version of the offset
* @return -1 on error or block offset on success
*/
TSK_OFF_T
tsk_parse_offset(const TSK_TCHAR * a_offset_str)
{
TSK_TCHAR offset_lcl[64], *offset_lcl_p;
TSK_DADDR_T num_blk;
TSK_TCHAR *cp;
if (a_offset_str == NULL) {
return 0;
}
if (TSTRLEN(a_offset_str) > 63) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OFFSET;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_parse: offset string is too long: %" PRIttocTSK,
a_offset_str);
return -1;
}
/* Make a local copy */
TSTRNCPY(offset_lcl, a_offset_str, 64);
offset_lcl_p = offset_lcl;
/* Check for the old x@y setup */
if (TSTRCHR(offset_lcl_p, '@') != NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OFFSET;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_parse: offset string format no longer supported. Use -b to specify sector size: %" PRIttocTSK,
a_offset_str);
return -1;
}
offset_lcl_p = offset_lcl;
/* remove leading 0s */
while ((offset_lcl_p[0] != '\0') && (offset_lcl_p[0] == '0'))
offset_lcl_p++;
num_blk = 0;
if (offset_lcl_p[0] != '\0') {
num_blk = TSTRTOULL(offset_lcl_p, &cp, 0);
if (*cp || *cp == *offset_lcl_p) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_OFFSET;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_parse: invalid image offset: %" PRIttocTSK,
offset_lcl_p);
return -1;
}
}
return num_blk;
}
void CMemoryStream::Save(TSTLSTRING strFilePath)
{
char* pBuffer = new char[m_SaveBufferList.first];
memset(pBuffer, 0, m_SaveBufferList.first);
DWORD dwPos = 0;
for(list<pair<DWORD, const char*> >::iterator iter = m_SaveBufferList.second.begin();
iter != m_SaveBufferList.second.end();
++iter)
{
if(iter->first == CMemoryStream::DWORD_TYPE)
{
memcpy(pBuffer + dwPos, iter->second, sizeof(DWORD));
dwPos += sizeof(DWORD);
DWORD* pVal = (DWORD*)iter->second;
delete pVal;
}
else
{
memcpy(pBuffer + dwPos, iter->second, sizeof(TSTLSTRING::value_type) * TSTRLEN((const TSTLSTRING::value_type*)iter->second));
dwPos += sizeof(TSTLSTRING::value_type) * (TSTRLEN((const TSTLSTRING::value_type*)iter->second) + 1);
delete [] iter->second;
}
}
HANDLE hFile = CreateFile(strFilePath.c_str(), FILE_ALL_ACCESS, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
DWORD dwWritten = 0;
if(!WriteFile(hFile, pBuffer, m_SaveBufferList.first, &dwWritten, NULL))
throw Exception(TEXT("写入文件失败。"));
CloseHandle(hFile);
}
else
{
throw Exception(TEXT("创建文件失败。"));
}
delete [] pBuffer;
m_SaveBufferList.first = 0;
m_SaveBufferList.second.clear();
}
/**
* Find the meta data address for a given file TCHAR name
*
* @param fs FS to analyze
* @param tpath Path of file to search for
* @param [out] result Meta data address of file
* @returns -1 on error, 0 if found, and 1 if not found
*/
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result)
{
#ifdef TSK_WIN32
// Convert the UTF-16 path to UTF-8
{
size_t clen;
UTF8 *ptr8;
UTF16 *ptr16;
int retval;
char *cpath;
clen = TSTRLEN(tpath) * 4;
if ((cpath = (char *) tsk_malloc(clen)) == NULL) {
return -1;
}
ptr8 = (UTF8 *) cpath;
ptr16 = (UTF16 *) tpath;
retval =
tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
& ptr16[TSTRLEN(tpath) + 1], &ptr8,
(UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
if (retval != TSKconversionOK) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNICODE);
tsk_error_set_errstr
("tsk_fs_ifind_path: Error converting path to UTF-8: %d",
retval);
free(cpath);
return -1;
}
return tsk_fs_path2inum(fs, cpath, result, NULL);
}
#else
return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL);
#endif
}
static int convert(TSK_TCHAR *OPTARG, char **_opt_arg)
{
char *opt_arg=*_opt_arg;
char *temp = NULL;
int arg_len = TSTRLEN(OPTARG);
int ret_val = 0;
opt_arg=(char *)tsk_malloc(TSTRLEN(OPTARG)+2);
temp=opt_arg;
ret_val =
tsk_UTF16toUTF8(TSK_LIT_ENDIAN,
(const UTF16 **) &OPTARG, (UTF16 *)(OPTARG+arg_len+1),
(UTF8 **)&temp, (UTF8 *)(temp+arg_len+2), TSKlenientConversion);
if (ret_val)
{
printf("Conversion Error ret_val: %d\n", ret_val);
return ret_val;
}
*_opt_arg=opt_arg;
printf("opt_arg: %s\n",opt_arg);
return 0;
}
/**
* Setup the hash-type specific information (such as length, index entry
* sizes, index name etc.) in the HDB_INFO structure.
*
* @param hdb_info Structure to fill in.
* @param htype Hash type being used
* @return 1 on error and 0 on success
*/
static uint8_t
hdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
size_t flen;
if (hdb_info->hash_type != 0) {
return 0;
}
/* Make the name for the index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
hdb_info->idx_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->idx_fname == NULL) {
return 1;
}
/* Get hash type specific information */
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_MD5_STR));
return 0;
case TSK_HDB_HTYPE_SHA1_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_SHA1_STR));
return 0;
}
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_setuphash: Invalid hash type as argument: %d", htype);
return 1;
}
/**
* \ingroup hashdblib
* \internal
* Initializes TSK_HDB_INFO struct with "base class" method pointers and basic
* setup of values.
* @param hdb_info Allocated struct to initialize.
* @param db_path
* @return 0 on success, 1 on failure.
*/
uint8_t
hdb_info_base_open(TSK_HDB_INFO *hdb_info, const TSK_TCHAR *db_path)
{
// copy the database path into the struct
size_t path_len = TSTRLEN(db_path);
hdb_info->db_fname = (TSK_TCHAR*)tsk_malloc((path_len + 1) * sizeof(TSK_TCHAR));
if (!hdb_info->db_fname) {
return 1;
}
TSTRNCPY(hdb_info->db_fname, db_path, path_len);
// set the name based on path
hdb_base_db_name_from_path(hdb_info);
hdb_info->db_type = TSK_HDB_DBTYPE_INVALID_ID;
tsk_init_lock(&hdb_info->lock);
hdb_info->transaction_in_progress = 0;
hdb_info->get_db_path = hdb_base_get_db_path;
hdb_info->get_display_name = hdb_base_get_display_name;
hdb_info->uses_external_indexes = hdb_base_uses_external_indexes;
hdb_info->get_index_path = hdb_base_get_index_path;
hdb_info->has_index = hdb_base_has_index;
hdb_info->make_index = hdb_base_make_index;
hdb_info->open_index = hdb_base_open_index;
hdb_info->lookup_str = hdb_base_lookup_str;
hdb_info->lookup_raw = hdb_base_lookup_bin;
hdb_info->lookup_verbose_str = hdb_base_lookup_verbose_str;
hdb_info->accepts_updates = hdb_base_accepts_updates;
hdb_info->add_entry = hdb_base_add_entry;
hdb_info->begin_transaction = hdb_base_begin_transaction;
hdb_info->commit_transaction = hdb_base_commit_transaction;
hdb_info->rollback_transaction = hdb_base_rollback_transaction;
hdb_info->close_db = hdb_info_base_close;
return 0;
}
/**
* \ingroup hashdblib
* Creates a new hash database.
* @param file_path Path for database to create.
* @return 0 on success, 1 otherwise
*/
uint8_t
tsk_hdb_create(TSK_TCHAR *file_path)
{
TSK_TCHAR *ext = NULL;
if (NULL == file_path) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("tsk_hdb_create: NULL file path");
return 1;
}
ext = TSTRRCHR(file_path, _TSK_T('.'));
if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
return sqlite_hdb_create_db(file_path);
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("tsk_hdb_create: path must end in .kdb extension");
return 1;
}
}
/* Return -1 for error, 0 if found, and 1 if not found */
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, uint8_t lclflags, TSK_TCHAR * tpath,
INUM_T * result)
{
char *cpath;
IFIND_PATH_DATA ipd;
localflags = lclflags;
#ifdef TSK_WIN32
{
size_t clen;
UTF8 *ptr8;
UTF16 *ptr16;
int retval;
clen = TSTRLEN(tpath) * 4;
cpath = (char *) tsk_malloc(clen);
if (cpath == NULL) {
return -1;
}
ptr8 = (UTF8 *) cpath;
ptr16 = (UTF16 *) tpath;
retval =
tsk_UTF16toUTF8(fs->endian, (const UTF16 **) &ptr16, (UTF16 *)
& ptr16[TSTRLEN(tpath) + 1], &ptr8,
(UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
if (retval != TSKconversionOK) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_UNICODE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"tsk_fs_ifind_path: Error converting path to UTF-8: %d",
retval);
free(cpath);
return -1;
}
}
#else
cpath = tpath;
#endif
ipd.id = IFIND_PATH_DATA_ID;
ipd.found = 0;
ipd.badpath = 0;
ipd.cur_dir = (char *) strtok_r(cpath, "/", &ipd.strtok_last);
ipd.cur_attr = NULL;
/* If there is no token, then only a '/' was given */
if (!(ipd.cur_dir)) {
#ifdef TSK_WIN32
free(cpath);
#endif
*result = fs->root_inum;
return 0;
}
/* If this is NTFS, ensure that we take out the attribute */
if (((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) ==
TSK_FS_INFO_TYPE_NTFS_TYPE)
&& ((ipd.cur_attr = strchr(ipd.cur_dir, ':')) != NULL)) {
*(ipd.cur_attr) = '\0';
ipd.cur_attr++;
}
if (tsk_verbose)
tsk_fprintf(stderr, "Looking for %s\n", ipd.cur_dir);
if (fs->dent_walk(fs, fs->root_inum,
TSK_FS_DENT_FLAG_ALLOC | TSK_FS_DENT_FLAG_UNALLOC,
ifind_path_act, (void *) &ipd)) {
/* If we found files before the error was encountered, then
* ignore it */
if (ipd.found == 0) {
#ifdef TSK_WIN32
free(cpath);
#endif
return -1;
}
else {
tsk_error_reset();
}
}
#ifdef TSK_WIN32
free(cpath);
#endif
if (1 == ipd.badpath) {
if (tsk_verbose)
tsk_fprintf(stderr, "Invalid path (%s is a file)\n",
fs_dent->name);
*result = 0;
return 1;
}
else if (0 == ipd.found) {
if (tsk_verbose)
tsk_printf("File not found: %s\n", ipd.cur_dir);
*result = 0;
return 1;
}
*result = ipd.addr;
return 0;
}
/**
Originally we used tsk_img_open_sing(), but that leads to calling ewf_open(),
which in turn will fail if the L01 file has an incorrect filename extension.
This function is a simpler version of ewf_open() which will not fail if the
filename extension is wrong.
*/
TSK_IMG_INFO * TskL01Extract::openEwfSimple()
{
const int a_num_img = 1;
unsigned int a_ssize = 512;
int result = 0;
TSK_IMG_INFO *img_info = NULL;
ewf::libewf_error_t *ewfError = NULL;
ewf::IMG_EWF_INFO *ewf_info = NULL;
try
{
// Make an absolute path (if it's relative) so that libewf doesn't cause
// an error when it tries to make it absolute.
Poco::Path tempPath(TskUtilities::toUTF8(m_archivePath));
tempPath.makeAbsolute();
// We convert to unicode here because that is what the TSK_IMG_INFO structure requires.
std::wstring ewfArchivePath = TskUtilities::toUTF16(tempPath.toString());
if ((ewf_info = (ewf::IMG_EWF_INFO *) tsk_img_malloc(sizeof(ewf::IMG_EWF_INFO))) == NULL)
{
throw TskException("tsk_img_malloc");
}
img_info = (TSK_IMG_INFO *) ewf_info;
if (ewf::libewf_handle_initialize(&(ewf_info->handle), &ewfError) != 1)
{
throw TskException("libewf_handle_initialize");
}
//int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL)
{
throw TskException("tsk_malloc");
}
if ((ewf_info->images[0] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(ewfArchivePath.c_str()) + 1) * sizeof(TSK_TCHAR))) == NULL)
{
throw TskException("tsk_malloc 2");
}
TSTRNCPY(ewf_info->images[0], ewfArchivePath.c_str(), TSTRLEN(ewfArchivePath.c_str()) + 1);
///NOTE: libewf_handle_open_wide() will not open the file if the filename length is < 4 chars long.
ewfError = NULL;
#if defined( TSK_WIN32 )
if (ewf::libewf_handle_open_wide(ewf_info->handle, (TSK_TCHAR * const *) ewf_info->images,
ewf_info->num_imgs, ewf::LIBEWF_ACCESS_FLAG_READ, &ewfError) != 1)
#else
if (ewf::libewf_handle_open(ewf_info->handle,
(char *const *) ewf_info->images,
ewf_info->num_imgs, ewf::LIBEWF_OPEN_READ, &ewfError) != 1)
#endif
{
throw TskException("libewf_handle_open_wide");
}
ewfError = NULL;
if (ewf::libewf_handle_get_media_size(ewf_info->handle,
(ewf::size64_t *) & (img_info->size), &ewfError) != 1)
{
throw TskException("libewf_handle_get_media_size");
}
ewfError = NULL;
result = ewf::libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
(uint8_t *) ewf_info->md5hash, 33, &ewfError);
if (result == -1)
{
throw TskException("libewf_handle_get_utf8_hash_value_md5");
}
ewf_info->md5hash_isset = result;
if (a_ssize != 0)
{
img_info->sector_size = a_ssize;
}
else
{
img_info->sector_size = 512;
}
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->close = ewf_image_close;
img_info->read = null_read;
img_info->imgstat = null_imgstat;
// initialize the read lock
tsk_init_lock(&(ewf_info->read_lock));
return img_info;
}
catch (TskException &ex)
{
std::ostringstream msg;
msg << "openEwfSimple: TskException: " << ex.message();
if (ewfError)
{
char errorString[512];
errorString[0] = '\0';
ewf::libewf_error_backtrace_sprint(ewfError, errorString, 512);
msg << " - libewf error: " << errorString << std::endl;
}
LOGERROR(msg.str());
free(ewf_info);
return NULL;
}
}
/**
* \internal
* Open the set of disk images as a set of split raw images
*
* @param a_num_img Number of images in set
* @param a_images List of disk image paths (in sorted order)
* @param a_ssize Size of device sector in bytes (or 0 for default)
*
* @return NULL on error
*/
TSK_IMG_INFO *
raw_open(int a_num_img, const TSK_TCHAR * const a_images[],
unsigned int a_ssize)
{
IMG_RAW_INFO *raw_info;
TSK_IMG_INFO *img_info;
int i;
TSK_OFF_T first_seg_size;
if ((raw_info =
(IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL)
return NULL;
img_info = (TSK_IMG_INFO *) raw_info;
img_info->itype = TSK_IMG_TYPE_RAW;
img_info->read = raw_read;
img_info->close = raw_close;
img_info->imgstat = raw_imgstat;
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
raw_info->is_winobj = 0;
#if defined(TSK_WIN32) || defined(__CYGWIN__)
/* determine if this is the path to a Windows device object */
if ((a_images[0][0] == _TSK_T('\\'))
&& (a_images[0][1] == _TSK_T('\\'))
&& ((a_images[0][2] == _TSK_T('.')) || (a_images[0][2] == _TSK_T('?')))
&& (a_images[0][3] == _TSK_T('\\'))) {
raw_info->is_winobj = 1;
}
#endif
/* Check that the first image file exists and is not a directory */
first_seg_size = get_size(a_images[0], raw_info->is_winobj);
if (first_seg_size < -1) {
tsk_img_free(raw_info);
return NULL;
}
/* see if there are more of them... */
if ((a_num_img == 1) && (raw_info->is_winobj == 0)) {
if ((raw_info->images =
tsk_img_findFiles(a_images[0],
&raw_info->num_img)) == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_STAT);
tsk_error_set_errstr
("raw_open: could not find segment files starting at \"%"
PRIttocTSK "\"", a_images[0]);
tsk_img_free(raw_info);
return NULL;
}
}
else {
raw_info->num_img = a_num_img;
raw_info->images =
(TSK_TCHAR **) tsk_malloc(sizeof(TSK_TCHAR *) * a_num_img);
if (raw_info->images == NULL) {
tsk_img_free(raw_info);
return NULL;
}
for (i = 0; i < raw_info->num_img; i++) {
size_t len = TSTRLEN(a_images[i]);
raw_info->images[i] =
(TSK_TCHAR *) tsk_malloc(sizeof(TSK_TCHAR) * (len + 1));
if (raw_info->images[i] == NULL) {
int j;
for (j = 0; j < i; j++) {
free(raw_info->images[j]);
}
free(raw_info->images);
tsk_img_free(raw_info);
return NULL;
}
TSTRNCPY(raw_info->images[i], a_images[i], len + 1);
}
}
/* sanity check: when we have multiple segments, the size of
* each must be known */
if ((raw_info->num_img > 1) && (first_seg_size < 0)) {
if (tsk_verbose) {
tsk_fprintf(stderr,
"raw_open: file size is unknown in a segmented raw image\n");
}
for (i = 0; i < raw_info->num_img; i++) {
free(raw_info->images[i]);
}
free(raw_info->images);
tsk_img_free(raw_info);
return NULL;
}
/* initialize the split cache */
raw_info->cptr = (int *) tsk_malloc(raw_info->num_img * sizeof(int));
if (raw_info->cptr == NULL) {
for (i = 0; i < raw_info->num_img; i++) {
free(raw_info->images[i]);
}
free(raw_info->images);
tsk_img_free(raw_info);
return NULL;
}
memset((void *) &raw_info->cache, 0,
SPLIT_CACHE * sizeof(IMG_SPLIT_CACHE));
raw_info->next_slot = 0;
/* initialize the offset table and re-use the first segment
* size gathered above */
raw_info->max_off =
(TSK_OFF_T *) tsk_malloc(raw_info->num_img * sizeof(TSK_OFF_T));
if (raw_info->max_off == NULL) {
free(raw_info->cptr);
for (i = 0; i < raw_info->num_img; i++) {
free(raw_info->images[i]);
}
free(raw_info->images);
tsk_img_free(raw_info);
return NULL;
}
img_info->size = first_seg_size;
raw_info->max_off[0] = img_info->size;
raw_info->cptr[0] = -1;
if (tsk_verbose) {
tsk_fprintf(stderr,
"raw_open: segment: 0 size: %" PRIuOFF " max offset: %"
PRIuOFF " path: %" PRIttocTSK "\n", first_seg_size,
raw_info->max_off[0], raw_info->images[0]);
}
/* get size info for each file - we do not open each one because that
* could cause us to run out of file decsriptors when we only need a few.
* The descriptors are opened as needed */
for (i = 1; i < raw_info->num_img; i++) {
TSK_OFF_T size;
raw_info->cptr[i] = -1;
size = get_size(raw_info->images[i], raw_info->is_winobj);
if (size < 0) {
if (size == -1) {
if (tsk_verbose) {
tsk_fprintf(stderr,
"raw_open: file size is unknown in a segmented raw image\n");
}
}
free(raw_info->cptr);
for (i = 0; i < raw_info->num_img; i++) {
free(raw_info->images[i]);
}
free(raw_info->images);
tsk_img_free(raw_info);
return NULL;
}
/* add the size of this image to the total and save the current max */
img_info->size += size;
raw_info->max_off[i] = img_info->size;
if (tsk_verbose) {
tsk_fprintf(stderr,
"raw_open: segment: %d size: %" PRIuOFF " max offset: %"
PRIuOFF " path: %" PRIttocTSK "\n", i, size,
raw_info->max_off[i], raw_info->images[i]);
}
}
return img_info;
}
int
main(int argc, char ** argv1)
{
int ch;
TSK_TCHAR *idx_type = NULL;
TSK_TCHAR *db_file = NULL;
TSK_TCHAR *lookup_file = NULL;
unsigned int flags = 0;
TSK_HDB_INFO *hdb_info;
TSK_TCHAR **argv;
bool create = false;
bool addHash = false;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if( argv == NULL) {
tsk_fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **)argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("cef:i:aqV"))) > 0) {
switch (ch) {
case _TSK_T('e'):
flags |= TSK_HDB_FLAG_EXT;
break;
case _TSK_T('f'):
lookup_file = OPTARG;
break;
case _TSK_T('i'):
idx_type = OPTARG;
break;
case _TSK_T('c'):
create = true;
break;
case _TSK_T('a'):
addHash = true;
break;
case _TSK_T('q'):
flags |= TSK_HDB_FLAG_QUICK;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
default:
usage();
}
}
if ((addHash) && ((idx_type != NULL) || (create))) {
tsk_fprintf(stderr, "-a cannot be specified with -c or -i\n");
usage();
}
if (OPTIND + 1 > argc) {
tsk_fprintf(stderr,
"Error: You must provide the source hash database location\n");
usage();
}
db_file = argv[OPTIND++];
// Running in create mode (-c option). Make a new hash database and exit.
if (create) {
if (idx_type != NULL) {
tsk_fprintf(stderr, "-c and -i cannot be specified at same time\n");
usage();
}
TSK_TCHAR *ext = TSTRRCHR(db_file, _TSK_T('.'));
if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
if (0 == tsk_hdb_create(db_file)) {
tsk_fprintf(stdout, "New database %" PRIttocTSK" created\n", db_file);
return 0;
}
else {
tsk_fprintf(stderr, "Failed to create new database %" PRIttocTSK"\n", db_file);
return 1;
}
}
else {
tsk_fprintf(stderr, "New database path must end in .kdb extension\n");
return 1;
}
}
// Opening an existing database.
if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
return 1;
}
// Now that the database is open and its type is known, if running in add hashes mode (-a option)
// see if it takes updates.
if (addHash && !tsk_hdb_accepts_updates(hdb_info)) {
tsk_fprintf(stderr, "-a option specified, but the specified database does not allow hashes to be added\n");
usage();
}
// Running in indexing mode (-i option). Create an index file and exit.
if (idx_type != NULL) {
if (lookup_file != NULL) {
tsk_fprintf(stderr, "'-f' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_QUICK) {
tsk_fprintf(stderr, "'-q' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_EXT) {
tsk_fprintf(stderr, "'-e' flag can't be used with '-i'\n");
usage();
}
if (!tsk_hdb_uses_external_indexes(hdb_info)) {
tsk_fprintf(stderr, "Database does not use external indexes, can't be used with '-i'\n");
}
if (tsk_hdb_is_idx_only(hdb_info)) {
tsk_fprintf(stderr, "Database is index only, can be used for look ups, but can't be used with '-i'\n");
}
if (tsk_hdb_make_index(hdb_info, idx_type)) {
tsk_error_print(stderr);
tsk_hdb_close(hdb_info);
return 1;
}
tsk_fprintf(stdout, "Index created\n");
tsk_hdb_close(hdb_info);
return 0;
}
/* Either lookup hash values or add them to DB.
* Check if the values were passed on the command line or via a file
*/
if (OPTIND < argc) {
if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr,
"Error: Only one hash can be given with quick option\n");
usage();
}
if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr, "'-e' flag can't be used with '-q'\n");
usage();
}
if (lookup_file != NULL) {
fprintf(stderr,
"Error: -f can't be used when hashes are also given\n");
usage();
}
/* Loop through all provided hash values
*/
while (OPTIND < argc) {
char htmp[128];
int i;
int retval;
// convert to char -- lazy way to deal with WCHARs..
for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) {
htmp[i] = (char) argv[OPTIND][i];
}
htmp[i] = '\0';
if (addHash) {
// Write a new hash to the database/index, if it's updateable
//@todo support sha1 and sha2-256
retval = tsk_hdb_add_entry(hdb_info, NULL, (const char *)htmp, NULL, NULL, NULL);
if (retval == 1) {
printf("There was an error adding the hash.\n");
tsk_error_print(stderr);
return 1;
}
else if (retval == 0) {
printf("Hash %s added.\n", htmp);
}
}
else {
/* Perform lookup */
retval = tsk_hdb_lookup_str(hdb_info, (const char *)htmp,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
}
else if (retval == 0) {
print_notfound(htmp);
}
}
OPTIND++;
}
}
/* Hash were given from stdin or a file */
else {
char buf[100];
/* If the file was specified, use that - otherwise stdin */
#ifdef TSK_WIN32
HANDLE handle = NULL;
if (lookup_file != NULL) {
if ((handle = CreateFile(lookup_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"),
lookup_file);
exit(1);
}
}
else {
handle = GetStdHandle(STD_INPUT_HANDLE);
}
#else
FILE *handle = NULL;
if (lookup_file != NULL) {
handle = fopen(lookup_file, "r");
if (!handle) {
fprintf(stderr, "Error opening hash file: %s\n",
lookup_file);
exit(1);
}
}
else {
handle = stdin;
}
#endif
while (1) {
int retval;
memset(buf, 0, 100);
#ifdef TSK_WIN32
int done = 0;
// win32 doesn't have a fgets equivalent, so we make an equivalent one
for (int i = 0; i < 100; i++) {
DWORD nread;
if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) {
done = 1;
break;
}
// skip the windows CR
else if (buf[i] == '\r') {
buf[i] = '\0';
i--;
continue;
}
else if (buf[i] == '\n') {
break;
}
}
if (done)
break;
#else
if (NULL == fgets(buf, 100, handle)) {
break;
}
#endif
/* Remove the newline */
buf[strlen(buf) - 1] = '\0';
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)buf,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
break;
}
else if (retval == 0) {
print_notfound(buf);
}
}
#ifdef TSK_WIN32
if (lookup_file != NULL)
CloseHandle(handle);
#else
if (lookup_file != NULL)
fclose(handle);
#endif
}
tsk_hdb_close(hdb_info);
return 0;
}
/**
* Open a hash database and index for lookup.
*
* @param db_file Path to database.
* @param flags Flags for opening the database.
*
* @return Poiner to hash database state structure or NULL on error
*/
TSK_HDB_INFO *
tsk_hdb_open(TSK_TCHAR * db_file, TSK_HDB_OPEN_ENUM flags)
{
TSK_HDB_INFO *hdb_info;
size_t flen;
FILE *hDb;
uint8_t dbtype = 0;
if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
/* Open the database file */
#ifdef TSK_WIN32
{
HANDLE hWin;
if ((hWin = CreateFile(db_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error opening database file: %s",
db_file);
return NULL;
}
hDb =
_fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
if (hDb == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error converting Windows handle to C handle");
return NULL;
}
}
#else
if (NULL == (hDb = fopen(db_file, "r"))) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error opening database file: %s", db_file);
return NULL;
}
#endif
/* Try to figure out what type of DB it is */
if (nsrl_test(hDb)) {
dbtype = TSK_HDB_DBTYPE_NSRL_ID;
}
if (md5sum_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error determining DB type (MD5sum)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_MD5SUM_ID;
}
if (hk_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error determining DB type (HK)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_HK_ID;
}
if (dbtype == 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_open: Error determining DB type");
return NULL;
}
fseeko(hDb, 0, SEEK_SET);
}
else {
dbtype = TSK_HDB_DBTYPE_IDXONLY_ID;
hDb = NULL;
}
if ((hdb_info = talloc(NULL, TSK_HDB_INFO)) == NULL)
return NULL;
hdb_info->hDb = hDb;
/* Get database specific information */
hdb_info->db_type = dbtype;
switch (dbtype) {
case TSK_HDB_DBTYPE_NSRL_ID:
hdb_info->getentry = nsrl_getentry;
hdb_info->makeindex = nsrl_makeindex;
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
hdb_info->getentry = md5sum_getentry;
hdb_info->makeindex = md5sum_makeindex;
break;
case TSK_HDB_DBTYPE_HK_ID:
hdb_info->getentry = hk_getentry;
hdb_info->makeindex = hk_makeindex;
break;
case TSK_HDB_DBTYPE_IDXONLY_ID:
hdb_info->getentry = idxonly_getentry;
hdb_info->makeindex = idxonly_makeindex;
break;
default:
return NULL;
}
hdb_info->hash_type = 0;
hdb_info->hash_len = 0;
hdb_info->idx_fname = NULL;
hdb_info->uns_fname = NULL;
hdb_info->hIdxTmp = NULL;
hdb_info->hIdx = NULL;
hdb_info->idx_size = 0;
hdb_info->idx_off = 0;
hdb_info->idx_lbuf = NULL;
/* Copy the database name into the structure */
flen = TSTRLEN(db_file) + 8; // + 32;
hdb_info->db_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->db_fname == NULL) {
talloc_free(hdb_info);
return NULL;
}
TSTRNCPY(hdb_info->db_fname, db_file, flen);
return hdb_info;
}
/** Initialize the TSK hash DB index file. This creates the intermediate file,
* which will have entries added to it. This file must be sorted before the
* process is finished.
*
* @param hdb_info Hash database state structure
* @param htype String of index type to create
*
* @return 1 on error and 0 on success
*
*/
uint8_t
tsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
{
size_t flen;
char dbtmp[32];
int i;
/* Use the string of the index/hash type to figure out some
* settings */
// convert to char -- cheating way to deal with WCHARs..
for (i = 0; i < 31 && htype[i] != '\0'; i++) {
dbtmp[i] = (char) htype[i];
}
dbtmp[i] = '\0';
if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_SHA1_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: Unknown database type request: %s",
dbtmp);
return 1;
}
/* Setup the internal hash information */
if (hdb_setuphash(hdb_info, hdb_info->hash_type)) {
return 1;
}
/* Make the name for the unsorted intermediate index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
hdb_info->uns_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->uns_fname == NULL) {
return 1;
}
TSNPRINTF(hdb_info->uns_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T("-ns.idx"), hdb_info->db_fname,
TSK_HDB_HTYPE_STR(hdb_info->hash_type));
/* Create temp unsorted file of offsets */
#ifdef TSK_WIN32
{
HANDLE hWin;
if ((hWin = CreateFile(hdb_info->uns_fname, GENERIC_WRITE,
0, 0, CREATE_ALWAYS, 0, 0)) ==
INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: %s GetFileSize: %d",
hdb_info->uns_fname, GetLastError());
return 1;
}
hdb_info->hIdxTmp =
_fdopen(_open_osfhandle((intptr_t) hWin, _O_WRONLY), "wb");
if (hdb_info->hIdxTmp == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: Error converting Windows handle to C handle");
talloc_free(hdb_info);
return 1;
}
}
#else
if (NULL == (hdb_info->hIdxTmp = fopen(hdb_info->uns_fname, "w"))) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error creating temp index file: %s",
hdb_info->uns_fname);
return 1;
}
#endif
/* Print the header */
switch (hdb_info->db_type) {
case TSK_HDB_DBTYPE_NSRL_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_NSRL_STR);
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_MD5SUM_STR);
break;
case TSK_HDB_DBTYPE_HK_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_HK_STR);
break;
/* Used to stop warning messages about missing enum value */
case TSK_HDB_DBTYPE_IDXONLY_ID:
default:
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "idxinit: Invalid db type\n");
return 1;
}
return 0;
}
int
MAIN(int argc, TSK_TCHAR ** argv)
{
TSK_TCHAR *imgtype = NULL;
TSK_TCHAR *fstype = NULL;
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
int ch;
TSK_TCHAR *cp;
extern int optind;
DADDR_T block = 0; /* the block to find */
INUM_T parinode = 0;
TSK_TCHAR *path = NULL;
SSIZE_T imgoff = 0;
progname = argv[0];
setlocale(LC_ALL, "");
localflags = 0;
while ((ch = getopt(argc, argv, _TSK_T("ad:f:i:ln:o:p:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('a'):
localflags |= TSK_FS_IFIND_ALL;
break;
case _TSK_T('d'):
if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_PATH)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_DATA;
block = TSTRTOULL(optarg, &cp, 0);
if (*cp || *cp == *optarg) {
TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"),
optarg);
usage();
}
break;
case _TSK_T('f'):
fstype = optarg;
if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
tsk_fs_print_types(stderr);
exit(1);
}
break;
case _TSK_T('i'):
imgtype = optarg;
if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
tsk_img_print_types(stderr);
exit(1);
}
break;
case _TSK_T('l'):
localflags |= TSK_FS_IFIND_PAR_LONG;
break;
case _TSK_T('n'):
{
size_t len;
if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_DATA)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_PATH;
len = (TSTRLEN(optarg) + 1) * sizeof(TSK_TCHAR);
if ((path = (TSK_TCHAR *) tsk_malloc(len)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
TSTRNCPY(path, optarg, TSTRLEN(optarg) + 1);
break;
}
case 'o':
if ((imgoff = tsk_parse_offset(optarg)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case 'p':
if (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_PAR;
if (tsk_parse_inum(optarg, &parinode, NULL, NULL, NULL)) {
TFPRINTF(stderr, _TSK_T("Invalid inode address: %s\n"),
optarg);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_print_version(stdout);
exit(0);
case 'z':
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg);
if (0 != PUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
/* we should be checking this somehow */
TZSET();
break;
}
case '?':
default:
tsk_fprintf(stderr, "Invalid argument: %s\n", argv[optind]);
usage();
}
}
/* We need at least one more argument */
if (optind >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
if (path)
free(path);
usage();
}
if (0 ==
(localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA |
TSK_FS_IFIND_PAR))) {
tsk_fprintf(stderr, "-d, -n, or -p must be given\n");
usage();
}
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
if (path)
free(path);
exit(1);
}
if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_print_types(stderr);
img->close(img);
if (path)
free(path);
exit(1);
}
if (localflags & TSK_FS_IFIND_DATA) {
if (block > fs->last_block) {
tsk_fprintf(stderr,
"Block %" PRIuDADDR
" is larger than last block in image (%" PRIuDADDR
")\n", block, fs->last_block);
fs->close(fs);
img->close(img);
exit(1);
}
else if (block == 0) {
tsk_printf("Inode not found\n");
fs->close(fs);
img->close(img);
exit(1);
}
if (tsk_fs_ifind_data(fs, localflags, block)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
else if (localflags & TSK_FS_IFIND_PAR) {
if ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) !=
TSK_FS_INFO_TYPE_NTFS_TYPE) {
tsk_fprintf(stderr, "-p works only with NTFS file systems\n");
fs->close(fs);
img->close(img);
exit(1);
}
else if (parinode > fs->last_inum) {
tsk_fprintf(stderr,
"Meta data %" PRIuINUM
" is larger than last MFT entry in image (%" PRIuINUM
")\n", parinode, fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (tsk_fs_ifind_par(fs, localflags, parinode)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
else if (localflags & TSK_FS_IFIND_PATH) {
int retval;
INUM_T inum;
if (-1 == (retval =
tsk_fs_ifind_path(fs, localflags, path, &inum))) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
free(path);
exit(1);
}
free(path);
if (retval == 1)
tsk_printf("File not found\n");
else
tsk_printf("%" PRIuINUM "\n", inum);
}
fs->close(fs);
img->close(img);
exit(0);
}
TSK_IMG_INFO *
ewf_open(int a_num_img, const TSK_TCHAR * const a_images[],
unsigned int a_ssize)
{
IMG_EWF_INFO *ewf_info;
TSK_IMG_INFO *img_info;
#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
if (a_num_img == 1) {
#ifdef TSK_WIN32
ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
free(ewf_info);
return NULL;
}
if (tsk_verbose)
tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
/* check the magic before we call the library open */
//if (img_file_header_signature_ncmp(images[0],
// "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) {
#else
if (libewf_check_file_signature(ewf_info->images[0]) == 0) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined (TSK_WIN32)
ewf_info->handle =
libewf_open_wide((wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ);
#else
ewf_info->handle =
libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return NULL;
}
// 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size))
!= 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return NULL;
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator;
for (md5_hash_iterator = 0; md5_hash_iterator < 16;
md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] = (char)
('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9)
ewf_info->md5hash[md5_string_iterator++] =
(char) ('0' + digit);
else
ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
(digit - 10));
}
ewf_info->md5hash_isset = 1;
}
#endif
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = ewf_image_read;
img_info->close = ewf_image_close;
img_info->imgstat = ewf_image_imgstat;
return img_info;
}
/**
* \ingroup hashdblib
*
* Opens an existing hash database.
* @param file_path Path to database or database index file.
* @param flags Flags for opening the database.
* @return Pointer to a struct representing the hash database or NULL on error.
*/
TSK_HDB_INFO *
tsk_hdb_open(TSK_TCHAR *file_path, TSK_HDB_OPEN_ENUM flags)
{
const char *func_name = "tsk_hdb_open";
uint8_t file_path_is_idx_path = 0;
TSK_TCHAR *db_path = NULL;
TSK_TCHAR *ext = NULL;
FILE *hDb = NULL;
FILE *hIdx = NULL;
TSK_HDB_DBTYPE_ENUM db_type = TSK_HDB_DBTYPE_INVALID_ID;
TSK_HDB_INFO *hdb_info = NULL;
if (NULL == file_path) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("%s: NULL file path", func_name);
return NULL;
}
// Determine the hash database path using the given file path. Note that
// direct use of an external index file for a text-format hash database for
// simple yes/no lookups is both explicitly and implicitly supported. For
// such "index only" databases, the path to where the hash database is
// normally required to be is still needed because of the way the code for
// text-format hash databases has been written.
db_path = (TSK_TCHAR*)tsk_malloc((TSTRLEN(file_path) + 1) * sizeof(TSK_TCHAR));
if (NULL == db_path) {
return NULL;
}
ext = TSTRRCHR(file_path, _TSK_T('-'));
if ((NULL != ext) &&
(TSTRLEN(ext) == 8 || TSTRLEN(ext) == 9) &&
((TSTRCMP(ext, _TSK_T("-md5.idx")) == 0) || TSTRCMP(ext, _TSK_T("-sha1.idx")) == 0)) {
// The file path extension suggests the path is for an external index
// file generated by TSK for a text-format hash database. In this case,
// the database path should be the given file path sans the extension
// because the hash database, if it is available for lookups, is
// required to be be in the same directory as the external index file.
file_path_is_idx_path = 1;
TSTRNCPY(db_path, file_path, (ext - file_path));
}
else {
TSTRNCPY(db_path, file_path, TSTRLEN(file_path));
}
// Determine the database type.
if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
hDb = hdb_open_file(db_path);
if (NULL != hDb) {
db_type = hdb_determine_db_type(hDb, db_path);
if (TSK_HDB_DBTYPE_INVALID_ID == db_type) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr("%s: error determining hash database type of %"PRIttocTSK, func_name, db_path);
free(db_path);
return NULL;
}
}
else {
if (file_path_is_idx_path) {
db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr("%s: failed to open %"PRIttocTSK, func_name, db_path);
free(db_path);
return NULL;
}
}
}
else {
db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
}
switch (db_type) {
case TSK_HDB_DBTYPE_NSRL_ID:
hdb_info = nsrl_open(hDb, db_path);
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
hdb_info = md5sum_open(hDb, db_path);
break;
case TSK_HDB_DBTYPE_ENCASE_ID:
hdb_info = encase_open(hDb, db_path);
break;
case TSK_HDB_DBTYPE_HK_ID:
hdb_info = hk_open(hDb, db_path);
break;
case TSK_HDB_DBTYPE_IDXONLY_ID:
hIdx = hdb_open_file(file_path);
if (NULL == hIdx) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr("%s: database is index only, failed to open index %"PRIttocTSK, func_name, db_path);
free(db_path);
return NULL;
}
else {
fclose(hIdx);
}
hdb_info = idxonly_open(db_path);
break;
case TSK_HDB_DBTYPE_SQLITE_ID:
if (NULL != hDb) {
fclose(hDb);
}
hdb_info = sqlite_hdb_open(db_path);
break;
// included to prevent compiler warnings that it is not used
case TSK_HDB_DBTYPE_INVALID_ID:
break;
}
if (NULL != db_path) {
free(db_path);
}
return hdb_info;
}
TSK_IMG_INFO *
ewf_open(int a_num_img,
const TSK_TCHAR * const a_images[], unsigned int a_ssize)
{
#if defined( HAVE_LIBEWF_V2_API )
char error_string[TSK_EWF_ERROR_STRING_SIZE];
libewf_error_t *ewf_error = NULL;
int result = 0;
#elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
uint8_t md5_hash[16];
#endif
IMG_EWF_INFO *ewf_info = NULL;
TSK_IMG_INFO *img_info = NULL;
#if !defined( HAVE_LIBEWF_V2_API)
if (tsk_verbose)
libewf_set_notify_values(stderr, 1);
#endif
if ((ewf_info =
(IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
NULL) {
return NULL;
}
img_info = (TSK_IMG_INFO *) ewf_info;
// See if they specified only the first of the set...
ewf_info->used_ewf_glob = 0;
if (a_num_img == 1) {
#if defined( HAVE_LIBEWF_V2_API)
#ifdef TSK_WIN32
if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#else
if (libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
&ewf_info->num_imgs, &ewf_error) == -1) {
#endif
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
return NULL;
}
#else //use v1
#ifdef TSK_WIN32
ewf_info->num_imgs =
libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
ewf_info->num_imgs =
libewf_glob(a_images[0], TSTRLEN(a_images[0]),
LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
if (ewf_info->num_imgs <= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an E01 glob name");
tsk_img_free(ewf_info);
return NULL;
}
#endif // end v1
ewf_info->used_ewf_glob = 1;
if (tsk_verbose)
tsk_fprintf(stderr,
"ewf_open: found %d segment files via libewf_glob\n",
ewf_info->num_imgs);
}
else {
int i;
ewf_info->num_imgs = a_num_img;
if ((ewf_info->images =
(TSK_TCHAR **) tsk_malloc(a_num_img *
sizeof(TSK_TCHAR *))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
for (i = 0; i < a_num_img; i++) {
if ((ewf_info->images[i] =
(TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
1) * sizeof(TSK_TCHAR))) == NULL) {
tsk_img_free(ewf_info);
return NULL;
}
TSTRNCPY(ewf_info->images[i], a_images[i],
TSTRLEN(a_images[i]) + 1);
}
}
#if defined( HAVE_LIBEWF_V2_API )
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1)
#else
if (libewf_check_file_signature(a_images[0], &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open: Not an EWF file (%s)",
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Not an EWF file\n");
}
return (NULL);
}
if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error initializing handle (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Unable to create EWF handle\n");
}
return (NULL);
}
#if defined( TSK_WIN32 )
if (libewf_handle_open_wide(ewf_info->handle,
(wchar_t * const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#else
if (libewf_handle_open(ewf_info->handle,
(char *const *) ewf_info->images,
ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening (%s)", a_images[0], error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
if (libewf_handle_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size), &ewf_error) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
(uint8_t *) ewf_info->md5hash, 33, &ewf_error);
if (result == -1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
getError(ewf_error, error_string);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting MD5 of image (%s)", a_images[0],
error_string);
libewf_error_free(&ewf_error);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
ewf_info->md5hash_isset = result;
#else // V1 API
// Check the file signature before we call the library open
#if defined( TSK_WIN32 )
if (libewf_check_file_signature_wide(a_images[0]) != 1)
#else
if (libewf_check_file_signature(a_images[0]) != 1)
#endif
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("ewf_open: Not an EWF file");
tsk_img_free(ewf_info);
if (tsk_verbose)
tsk_fprintf(stderr, "Not an EWF file\n");
return NULL;
}
#if defined( TSK_WIN32 )
ewf_info->handle = libewf_open_wide(
(wchar_t * const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#else
ewf_info->handle = libewf_open(
(char *const *) ewf_info->images, ewf_info->num_imgs,
LIBEWF_OPEN_READ);
#endif
if (ewf_info->handle == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error opening", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose != 0) {
tsk_fprintf(stderr, "Error opening EWF file\n");
}
return (NULL);
}
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
// 2007 version
img_info->size = libewf_get_media_size(ewf_info->handle);
ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
#else
// libewf-20080322 version
if (libewf_get_media_size(ewf_info->handle,
(size64_t *) & (img_info->size)) != 1) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
": Error getting size of image", ewf_info->images[0]);
tsk_img_free(ewf_info);
if (tsk_verbose) {
tsk_fprintf(stderr, "Error getting size of EWF file\n");
}
return (NULL);
}
if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
int md5_string_iterator = 0;
int md5_hash_iterator = 0;
for (md5_hash_iterator = 0;
md5_hash_iterator < 16; md5_hash_iterator++) {
int digit = md5_hash[md5_hash_iterator] / 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
digit = md5_hash[md5_hash_iterator] % 16;
if (digit <= 9) {
ewf_info->md5hash[md5_string_iterator++] =
'0' + (char) digit;
}
else {
ewf_info->md5hash[md5_string_iterator++] =
'a' + (char) (digit - 10);
}
}
ewf_info->md5hash_isset = 1;
}
#endif /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */
#endif /* defined( HAVE_LIBEWF_V2_API ) */
if (a_ssize != 0) {
img_info->sector_size = a_ssize;
}
else {
img_info->sector_size = 512;
}
img_info->itype = TSK_IMG_TYPE_EWF_EWF;
img_info->read = &ewf_image_read;
img_info->close = &ewf_image_close;
img_info->imgstat = &ewf_image_imgstat;
// initialize the read lock
tsk_init_lock(&(ewf_info->read_lock));
return (img_info);
}
void CUploadListCtrl::DrawItemInfo(LPDRAWITEMSTRUCT lpDrawItemStruct)
{
CDC* pDC = CDC::FromHandle(lpDrawItemStruct->hDC);
CRect rtItem = lpDrawItemStruct->rcItem;
VideoInfo item = UploadQueueManager::GetInstance().GetItem(GetItemText(lpDrawItemStruct->itemID, 0).GetString());
int cw = rtItem.left;
// 上传状态
int iStateWidth = GetColumnWidth(0);
CRect rtState(cw, rtItem.top, cw + iStateWidth - 1, rtItem.bottom);
CDC StateMemDC;
StateMemDC.CreateCompatibleDC(pDC);
CBitmap* pOldBitmap = NULL;
COLORREF oldColor;
switch(item.m_dwState)
{
case VideoInfo::Complete:
oldColor = pDC->SetTextColor(RGB(0, 0, 0));
pOldBitmap = StateMemDC.SelectObject(&m_CompleteStateBmpObj);
break;
case VideoInfo::Validate:
case VideoInfo::Uploading:
oldColor = pDC->SetTextColor(RGB(0, 0, 0));
pOldBitmap = StateMemDC.SelectObject(&m_RunningStateBmpObj);
break;
case VideoInfo::WaitKey:
case VideoInfo::Wait:
oldColor = pDC->SetTextColor(RGB(0, 0, 0));
pOldBitmap = StateMemDC.SelectObject(&m_WaitStateBmpObj);
break;
case VideoInfo::Delete:
case VideoInfo::Pause:
oldColor = pDC->SetTextColor(RGB(0, 0, 0));
pOldBitmap = StateMemDC.SelectObject(&m_PauseStateBmpObj);
break;
default:
oldColor = pDC->SetTextColor(RGB(255, 0, 0));
pOldBitmap = StateMemDC.SelectObject(&m_FailStateBmpObj);
break;
}
int descX, descY, descWidth, descHeight, srcX, srcY, srcWidth, srcHeight;
if(rtState.Height() > rtState.Width())
{
if(rtState.Width() < 16)
{
descX = rtState.left;
descY = rtState.top;
descWidth = rtState.Width();
descHeight = rtState.Height();
srcX = (16 - rtState.Width()) / 2;
srcY = (16 - rtState.Height()) / 2;
srcWidth = rtState.Width();
srcHeight = rtState.Height();
}
else
{
descX = (rtState.Width() - 16) / 2 + rtState.left;
descY = (rtState.Height() - 16) / 2 + rtState.top;
descWidth = 16;
descHeight = 16;
srcX = 0;
srcY = 0;
srcWidth = 16;
srcHeight = 16;
}
}
else
{
if(rtState.Height() < 16)
{
descX = rtState.left;
descY = rtState.top;
descWidth = rtState.Width();
descHeight = rtState.Height();
srcX = (16 - rtState.Width()) / 2;
srcY = (16 - rtState.Height()) / 2;
srcWidth = rtState.Width();
srcHeight = rtState.Height();
}
else
{
descX = (rtState.Width() - 16) / 2 + rtState.left;
descY = (rtState.Height() - 16) / 2 + rtState.top;
descWidth = 16;
descHeight = 16;
srcX = 0;
srcY = 0;
srcWidth = 16;
srcHeight = 16;
}
}
pDC->TransparentBlt(descX, descY, descWidth, descHeight, &StateMemDC, srcX, srcY, srcWidth, srcHeight, RGB(255, 0, 255));
StateMemDC.SelectObject(pOldBitmap);
StateMemDC.DeleteDC();
cw += iStateWidth;
// 视频名称
int iNameWidth = GetColumnWidth(1);
CRect rtName(cw, rtItem.top, cw + iNameWidth - 1, rtItem.bottom);
pDC->DrawText(item.m_strVideoName.c_str(), item.m_strVideoName.length(), &rtName, DT_LEFT|DT_VCENTER|DT_SINGLELINE);
cw += iNameWidth;
pDC->SetTextColor(oldColor);
// 上传通道
int iUploadChannelWidth = GetColumnWidth(2);
CRect rtUploadChannel(cw, rtItem.top, cw + iUploadChannelWidth - 1, rtItem.bottom);
if(item.m_dwVideoUploadChannel == VideoInfo::FastChannel)
{
oldColor = pDC->SetTextColor(RGB(0xFF, 0, 0));
pDC->DrawText(TEXT("快速"), TSTRLEN(TEXT("快速")), &rtUploadChannel, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
pDC->SetTextColor(oldColor);
}
else
{
pDC->DrawText(TEXT("普通"), TSTRLEN(TEXT("普通")), &rtUploadChannel, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
}
cw += iUploadChannelWidth;
// 优先级
int iVideoPriorityWidth = GetColumnWidth(3);
CString strVideoPriority;
switch(item.m_dwPriority)
{
case VideoInfo::Normal:
oldColor = pDC->SetTextColor(RGB(0, 0, 0));
strVideoPriority = TEXT("中");
break;
case VideoInfo::Important:
oldColor = pDC->SetTextColor(RGB(0xFF, 0x99, 0));
strVideoPriority = TEXT("高");
break;
default:
oldColor = pDC->SetTextColor(RGB(255, 0, 0));
strVideoPriority = TEXT("低");
break;
}
CRect rtVideoPriority(cw, rtItem.top, cw + iVideoPriorityWidth - 1, rtItem.bottom);
pDC->DrawText(strVideoPriority, strVideoPriority.GetLength(), &rtVideoPriority, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
cw += iVideoPriorityWidth;
pDC->SetTextColor(oldColor);
// 视频大小
int iVideoSizeWidth = GetColumnWidth(4);
double szFile = item.m_dwFileSize;
szFile = szFile / 1048576;
CString strVideoSize;
strVideoSize.Format(TEXT("%.2fMB "), szFile);
CRect rtVideoSize(cw, rtItem.top, cw + iVideoSizeWidth - 1, rtItem.bottom);
pDC->DrawText(strVideoSize, strVideoSize.GetLength(), &rtVideoSize, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
cw += iVideoSizeWidth;
// 上传进度
int iUploadProcessWidth = GetColumnWidth(5);
double dUploadProcess = (double)item.m_dwPosition / item.m_dwFileSize;
CRect rtUploadProcess(cw + 1, rtItem.top + 1, cw + iUploadProcessWidth - 2, rtItem.bottom - 1);
pDC->Rectangle(&rtUploadProcess);
CDC dc;
dc.CreateCompatibleDC(pDC);
CBitmap* pOldBitmapObj = dc.SelectObject(&m_ProcessBackgroundBmpObj);
pDC->TransparentBlt(rtUploadProcess.left + 1, rtUploadProcess.top + 1, (int)(rtUploadProcess.Width() * dUploadProcess) - 2, rtUploadProcess.Height() - 2, &dc, 0, 0, 1, 15, RGB(0, 0, 0));
dc.SelectObject(pOldBitmapObj);
dc.DeleteDC();
CString strProcess;
strProcess.Format(TEXT("%.2f%%"), dUploadProcess * 100);
pDC->DrawText(strProcess, strProcess.GetLength(), &rtUploadProcess, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
cw += iUploadProcessWidth;
// 上传速度
int iSpeedWidth = GetColumnWidth(6);
CString strSpeed;
if(item.m_dwState == VideoInfo::Uploading)
{
double dTmpSpeed = item.m_dSpeed * 1000 / 1024;
if(dTmpSpeed >= 1024)
{
dTmpSpeed = dTmpSpeed / 1024;
strSpeed.Format(TEXT("%.2fMB/s "), dTmpSpeed);
}
else
strSpeed.Format(TEXT("%.2fKB/s "), dTmpSpeed);
}
CRect rtSpeed(cw, rtItem.top, cw + iSpeedWidth - 1, rtItem.bottom);
pDC->DrawText(strSpeed, strSpeed.GetLength(), &rtSpeed, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
cw += iSpeedWidth;
// 剩余时间
int iRemainTimeWidth = GetColumnWidth(7);
CString strRemainTime = item.m_strNeedTime.c_str();
strRemainTime.Append(TEXT(" "));
CRect rtRemainTime(cw, rtItem.top, cw + iRemainTimeWidth - 1, rtItem.bottom);
pDC->DrawText(strRemainTime, strRemainTime.GetLength(), &rtRemainTime, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
cw += iRemainTimeWidth;
// 码率
int iBitRateWidth = GetColumnWidth(8);
CString strBitRate;
double dTmpBitRate = (double)item.m_iVideoBitRate / 1000;
strBitRate.Format(TEXT("%.2fkbps "), dTmpBitRate);
CRect rtBitRate(cw, rtItem.top, cw + iBitRateWidth - 1, rtItem.bottom);
pDC->DrawText(strBitRate, strBitRate.GetLength(), &rtBitRate, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
cw += iBitRateWidth;
// 时长
int iVideoDurationWidth = GetColumnWidth(9);
CString strVideoDuration = item.m_strVideoDuration.c_str();
strVideoDuration.Append(TEXT(" "));
CRect rtVideoDuration(cw, rtItem.top, cw + iVideoDurationWidth - 1, rtItem.bottom);
pDC->DrawText(strVideoDuration, strVideoDuration.GetLength(), &rtVideoDuration, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
cw += iVideoDurationWidth;
// 备注
int iRemarkWidth = GetColumnWidth(10);
CString strRemark = item.m_strErrorMessage.c_str();
CRect rtRemark(cw, rtItem.top, cw + iRemarkWidth - 1, rtItem.bottom);
pDC->DrawText(strRemark, strRemark.GetLength(), &rtRemark, DT_LEFT|DT_VCENTER|DT_SINGLELINE);
cw += iRemarkWidth;
}