Пример #1
0
/* Returns 0 on success and 1 on error */
uint8_t
tsk_fs_fls(TSK_FS_INFO * fs, TSK_FS_FLS_FLAG_ENUM lclflags,
    TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, TSK_TCHAR * tpre,
    int32_t skew)
{
    FLS_DATA data;

    data.flags = lclflags;
    data.sec_skew = skew;

#ifdef TSK_WIN32
    {
        size_t clen;
        UTF8 *ptr8;
        UTF16 *ptr16;
        int retval;

        if ((tpre != NULL) && (TSTRLEN(tpre) > 0)) {
            clen = TSTRLEN(tpre) * 4;
            data.macpre = (char *) tsk_malloc(clen);
            if (data.macpre == NULL) {
                return 1;
            }
            ptr8 = (UTF8 *) data.macpre;
            ptr16 = (UTF16 *) tpre;

            retval =
                tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
                & ptr16[TSTRLEN(tpre) + 1], &ptr8,
                (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
            if (retval != TSKconversionOK) {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_FS_UNICODE);
                tsk_error_set_errstr
                    ("Error converting fls mactime pre-text to UTF-8 %d\n",
                    retval);
                return 1;
            }
        }
        else {
            data.macpre = (char *) tsk_malloc(1);
            if (data.macpre == NULL) {
                return 1;
            }
            data.macpre[0] = '\0';
        }

        retval = tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);

        free(data.macpre);
        data.macpre = NULL;
        return retval;
    }
#else
    data.macpre = tpre;
    return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);
#endif
}
Пример #2
0
/**
 * @param db_path Path to DB, which probably does not exist. But it gets passed in because we need
 *   it in a bunch of places. 
 * @param idx_path Path to index file (should be superset of db_path)
 */
TSK_HDB_INFO *idxonly_open(const TSK_TCHAR *db_path, const TSK_TCHAR *idx_path)
{
    TSK_HDB_BINSRCH_INFO *hdb_binsrch_info = NULL;
    TSK_TCHAR *ext;
    TSK_HDB_HTYPE_ENUM htype;

    hdb_binsrch_info = hdb_binsrch_open(NULL, db_path);
    if (NULL == hdb_binsrch_info) {
        return NULL;
    }

    hdb_binsrch_info->base.db_type = TSK_HDB_DBTYPE_IDXONLY_ID;

    // open the index
    ext = TSTRRCHR(idx_path, _TSK_T('-'));
    if (ext == NULL) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_HDB_ARG);
        tsk_error_set_errstr("idxonly_open: invalid file name (no extension): %" PRIttocTSK, idx_path);
        return NULL;
    }
    else if ((TSTRLEN(ext) == 8) && (TSTRICMP(ext, _TSK_T("-md5.idx")) == 0)) {
        htype = TSK_HDB_HTYPE_MD5_ID;
    }
    else if ((TSTRLEN(ext) == 9) && (TSTRICMP(ext, _TSK_T("-sha1.idx")) == 0)) {
        htype = TSK_HDB_HTYPE_SHA1_ID;
    }
    else {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_HDB_ARG);
        tsk_error_set_errstr("idxonly_open: invalid file name (unknown extension): %" PRIttocTSK, idx_path);
        return NULL;
    }
    
    if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, htype)) {
        return NULL;
    }

    if (idxonly_name(hdb_binsrch_info)) {
        hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
        return NULL;
    }

    hdb_binsrch_info->base.get_db_path = idxonly_get_db_path;
    hdb_binsrch_info->get_entry = idxonly_getentry;

    // Before returning, do one final check that we'll be able to open
    // the index file
    if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, hdb_binsrch_info->hash_type)) {
        hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
        return NULL;
    }

    return (TSK_HDB_INFO*)hdb_binsrch_info;    
}
Пример #3
0
int carving_hive(TCHAR * path, TSK_FS_INFO *fs, TSK_INUM_T inode)
{

	char buf[0x2000];
	memset(buf, 0, 0x2000);

	WideCharToMultiByte(CP_ACP, 0, path, TSTRLEN(path) , buf, TSTRLEN(path) , NULL, NULL);
	if(tsk_fs_path2inum(fs, buf, &inode, NULL)){
		tsk_error_print(stderr);
		return 0;
	}

	if(hive_extract(fs, inode, TSK_FS_ATTR_TYPE_DEFAULT, NULL, NULL,NULL, (TSK_FS_FILE_WALK_FLAG_ENUM) 0))
		return 0;
	return 1;
}
Пример #4
0
/**
* \ingroup hashdblib
* Sets hash database name in hdb_info based on database file path. 
* @param hdb_info Struct representation of an open hash database.
*/
void 
    hdb_base_db_name_from_path(TSK_HDB_INFO *hdb_info)
{
#ifdef TSK_WIN32
    const char PATH_CHAR = '\\';
#else
    const char PATH_CHAR = '/';
#endif
    TSK_TCHAR * begin;
    TSK_TCHAR * end;
    int i;
    hdb_info->db_name[0] = '\0';

    begin = TSTRRCHR(hdb_info->db_fname, PATH_CHAR);
#ifdef TSK_WIN32
    // cygwin can have forward slashes, so try that too on Windows
    if (!begin) {
        begin = TSTRRCHR(hdb_info->db_fname, '/');
    }
#endif

    if (!begin) {
        begin = hdb_info->db_fname;
    }
    else {
        // unlikely since this means that the dbname is "/"
        if (TSTRLEN(begin) == 1)
            return;
        else
            begin++;
    }

    // end points to the byte after the last one we want to use
    if ((TSTRLEN(hdb_info->db_fname) > 4) && (TSTRICMP(&hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4], _TSK_T(".idx")) == 0)) 
        end = &hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4];
    else
        end = begin + TSTRLEN(begin);   

    // @@@ This only works for file names with Latin characters. It may need
    // to be fixed some day. Leave it be for now. 
    for(i = 0; i < (end-begin); i++)
    {
        hdb_info->db_name[i] = (char) begin[i];
    }

    hdb_info->db_name[i] = '\0';
}
Пример #5
0
/**
 * \ingroup baselib
 * Parse a TSK_TCHAR block address string. 
 * Note that the cnt\@size format is no longer supported.
 * Set the device sector size in img_open to set the block size. 
 *
 * @param [in] a_offset_str The string version of the offset
 * @return -1 on error or block offset on success
 */
TSK_OFF_T
tsk_parse_offset(const TSK_TCHAR * a_offset_str)
{
    TSK_TCHAR offset_lcl[64], *offset_lcl_p;
    TSK_DADDR_T num_blk;
    TSK_TCHAR *cp;
    
    if (a_offset_str == NULL) {
        return 0;
    }
    if (TSTRLEN(a_offset_str) > 63) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_IMG_OFFSET;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
            "tsk_parse: offset string is too long: %" PRIttocTSK,
            a_offset_str);
        return -1;
    }

    /* Make a local copy */
    TSTRNCPY(offset_lcl, a_offset_str, 64);
    offset_lcl_p = offset_lcl;

    /* Check for the old x@y setup */
    if (TSTRCHR(offset_lcl_p, '@') != NULL) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_IMG_OFFSET;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "tsk_parse: offset string format no longer supported.  Use -b to specify sector size: %" PRIttocTSK,
                 a_offset_str);
        return -1;
    }

    offset_lcl_p = offset_lcl;

    /* remove leading 0s */
    while ((offset_lcl_p[0] != '\0') && (offset_lcl_p[0] == '0'))
        offset_lcl_p++;

    num_blk = 0;
    if (offset_lcl_p[0] != '\0') {
        num_blk = TSTRTOULL(offset_lcl_p, &cp, 0);
        if (*cp || *cp == *offset_lcl_p) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_IMG_OFFSET;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                "tsk_parse: invalid image offset: %" PRIttocTSK,
                offset_lcl_p);
            return -1;
        }
    }

    return num_blk;
}
Пример #6
0
void CMemoryStream::Save(TSTLSTRING strFilePath)
{
	char* pBuffer = new char[m_SaveBufferList.first];
	memset(pBuffer, 0, m_SaveBufferList.first);
	DWORD dwPos = 0;
	for(list<pair<DWORD, const char*> >::iterator iter = m_SaveBufferList.second.begin();
		iter != m_SaveBufferList.second.end();
		++iter)
	{
		if(iter->first == CMemoryStream::DWORD_TYPE)
		{
			memcpy(pBuffer + dwPos, iter->second, sizeof(DWORD));
			dwPos += sizeof(DWORD);
			DWORD* pVal = (DWORD*)iter->second;
			delete pVal;
		}
		else
		{
			memcpy(pBuffer + dwPos, iter->second, sizeof(TSTLSTRING::value_type) * TSTRLEN((const TSTLSTRING::value_type*)iter->second));
			dwPos += sizeof(TSTLSTRING::value_type) * (TSTRLEN((const TSTLSTRING::value_type*)iter->second) + 1);
			delete [] iter->second;
		}
	}

	HANDLE hFile = CreateFile(strFilePath.c_str(), FILE_ALL_ACCESS, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	if(hFile != INVALID_HANDLE_VALUE)
	{
		DWORD dwWritten = 0;
		if(!WriteFile(hFile, pBuffer, m_SaveBufferList.first, &dwWritten, NULL))
			throw Exception(TEXT("写入文件失败。"));
		CloseHandle(hFile);
	}
	else
	{
		throw Exception(TEXT("创建文件失败。"));
	}

	delete [] pBuffer;
	m_SaveBufferList.first = 0;
	m_SaveBufferList.second.clear();
}
Пример #7
0
/**
 * Find the meta data address for a given file TCHAR name
 *
 * @param fs FS to analyze
 * @param tpath Path of file to search for
 * @param [out] result Meta data address of file
 * @returns -1 on error, 0 if found, and 1 if not found
 */
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result)
{

#ifdef TSK_WIN32
    // Convert the UTF-16 path to UTF-8
    {
        size_t clen;
        UTF8 *ptr8;
        UTF16 *ptr16;
        int retval;
        char *cpath;

        clen = TSTRLEN(tpath) * 4;
        if ((cpath = (char *) tsk_malloc(clen)) == NULL) {
            return -1;
        }
        ptr8 = (UTF8 *) cpath;
        ptr16 = (UTF16 *) tpath;

        retval =
            tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
            & ptr16[TSTRLEN(tpath) + 1], &ptr8,
            (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
        if (retval != TSKconversionOK) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_FS_UNICODE);
            tsk_error_set_errstr
                ("tsk_fs_ifind_path: Error converting path to UTF-8: %d",
                retval);
            free(cpath);
            return -1;
        }
        return tsk_fs_path2inum(fs, cpath, result, NULL);
    }
#else
    return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL);
#endif
}
static int convert(TSK_TCHAR *OPTARG, char **_opt_arg)
{
		char *opt_arg=*_opt_arg;
		char *temp = NULL;
		int arg_len = TSTRLEN(OPTARG);
		int ret_val = 0;

		opt_arg=(char *)tsk_malloc(TSTRLEN(OPTARG)+2);
		temp=opt_arg;
		ret_val = 
			tsk_UTF16toUTF8(TSK_LIT_ENDIAN,
			(const UTF16 **) &OPTARG, (UTF16 *)(OPTARG+arg_len+1),
			(UTF8 **)&temp, (UTF8 *)(temp+arg_len+2), TSKlenientConversion);
		if (ret_val)
		{
			printf("Conversion Error ret_val: %d\n", ret_val);
			return ret_val;
		}
		*_opt_arg=opt_arg;
		printf("opt_arg: %s\n",opt_arg);
		return 0;
}
Пример #9
0
/**
 * Setup the hash-type specific information (such as length, index entry
 * sizes, index name etc.) in the HDB_INFO structure.
 *
 * @param hdb_info Structure to fill in.
 * @param htype Hash type being used
 * @return 1 on error and 0 on success
 */
static uint8_t
hdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
    size_t flen;

    if (hdb_info->hash_type != 0) {
        return 0;
    }

    /* Make the name for the index file */
    flen = TSTRLEN(hdb_info->db_fname) + 32;
    hdb_info->idx_fname =
        (TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
    if (hdb_info->idx_fname == NULL) {
        return 1;
    }

    /* Get hash type specific information */
    switch (htype) {
    case TSK_HDB_HTYPE_MD5_ID:
        hdb_info->hash_type = htype;
        hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
        hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
        TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
                  hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_MD5_STR));
        return 0;
    case TSK_HDB_HTYPE_SHA1_ID:
        hdb_info->hash_type = htype;
        hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
        hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
        TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
                  hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_SHA1_STR));
        return 0;

    }

    tsk_error_reset();
    tsk_errno = TSK_ERR_HDB_ARG;
    snprintf(tsk_errstr, TSK_ERRSTR_L,
             "hdb_setuphash: Invalid hash type as argument: %d", htype);
    return 1;
}
Пример #10
0
/**
* \ingroup hashdblib
* \internal
* Initializes TSK_HDB_INFO struct with "base class" method pointers and basic
* setup of values.  
* @param hdb_info Allocated struct to initialize.
* @param db_path 
* @return 0 on success, 1 on failure.
*/
uint8_t 
    hdb_info_base_open(TSK_HDB_INFO *hdb_info, const TSK_TCHAR *db_path)
{
    // copy the database path into the struct
    size_t path_len = TSTRLEN(db_path); 
    hdb_info->db_fname = (TSK_TCHAR*)tsk_malloc((path_len + 1) * sizeof(TSK_TCHAR));
    if (!hdb_info->db_fname) {
        return 1;
    }
    TSTRNCPY(hdb_info->db_fname, db_path, path_len);

    // set the name based on path
    hdb_base_db_name_from_path(hdb_info);

    hdb_info->db_type = TSK_HDB_DBTYPE_INVALID_ID;
    tsk_init_lock(&hdb_info->lock);

    hdb_info->transaction_in_progress = 0;

    hdb_info->get_db_path = hdb_base_get_db_path;
    hdb_info->get_display_name = hdb_base_get_display_name;
    hdb_info->uses_external_indexes = hdb_base_uses_external_indexes;
    hdb_info->get_index_path = hdb_base_get_index_path;
    hdb_info->has_index = hdb_base_has_index; 
    hdb_info->make_index = hdb_base_make_index;
    hdb_info->open_index = hdb_base_open_index;
    hdb_info->lookup_str = hdb_base_lookup_str;
    hdb_info->lookup_raw = hdb_base_lookup_bin;
    hdb_info->lookup_verbose_str = hdb_base_lookup_verbose_str;
    hdb_info->accepts_updates = hdb_base_accepts_updates;
    hdb_info->add_entry = hdb_base_add_entry;
    hdb_info->begin_transaction = hdb_base_begin_transaction;
    hdb_info->commit_transaction = hdb_base_commit_transaction;
    hdb_info->rollback_transaction = hdb_base_rollback_transaction;
    hdb_info->close_db = hdb_info_base_close;

    return 0;
}
/**
* \ingroup hashdblib
* Creates a new hash database. 
* @param file_path Path for database to create.
* @return 0 on success, 1 otherwise
*/
uint8_t 
    tsk_hdb_create(TSK_TCHAR *file_path)
{
    TSK_TCHAR *ext = NULL; 

    if (NULL ==  file_path) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_HDB_ARG);
        tsk_error_set_errstr("tsk_hdb_create: NULL file path");
        return 1;
    }

    ext = TSTRRCHR(file_path, _TSK_T('.'));    
    if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
        return sqlite_hdb_create_db(file_path); 
    }
    else {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_HDB_ARG);
        tsk_error_set_errstr("tsk_hdb_create: path must end in .kdb extension");
        return 1;
    }
}
Пример #12
0
/* Return -1 for error, 0 if found, and 1 if not found */
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, uint8_t lclflags, TSK_TCHAR * tpath,
                  INUM_T * result)
{
    char *cpath;
    IFIND_PATH_DATA ipd;


    localflags = lclflags;


#ifdef TSK_WIN32
    {
        size_t clen;
        UTF8 *ptr8;
        UTF16 *ptr16;
        int retval;

        clen = TSTRLEN(tpath) * 4;
        cpath = (char *) tsk_malloc(clen);
        if (cpath == NULL) {
            return -1;
        }
        ptr8 = (UTF8 *) cpath;
        ptr16 = (UTF16 *) tpath;

        retval =
            tsk_UTF16toUTF8(fs->endian, (const UTF16 **) &ptr16, (UTF16 *)
                            & ptr16[TSTRLEN(tpath) + 1], &ptr8,
                            (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
        if (retval != TSKconversionOK) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_FS_UNICODE;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "tsk_fs_ifind_path: Error converting path to UTF-8: %d",
                     retval);
            free(cpath);
            return -1;
        }
    }
#else
    cpath = tpath;
#endif

    ipd.id = IFIND_PATH_DATA_ID;
    ipd.found = 0;
    ipd.badpath = 0;
    ipd.cur_dir = (char *) strtok_r(cpath, "/", &ipd.strtok_last);
    ipd.cur_attr = NULL;

    /* If there is no token, then only a '/' was given */
    if (!(ipd.cur_dir)) {
#ifdef TSK_WIN32
        free(cpath);
#endif
        *result = fs->root_inum;
        return 0;
    }

    /* If this is NTFS, ensure that we take out the attribute */
    if (((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) ==
            TSK_FS_INFO_TYPE_NTFS_TYPE)
            && ((ipd.cur_attr = strchr(ipd.cur_dir, ':')) != NULL)) {
        *(ipd.cur_attr) = '\0';
        ipd.cur_attr++;
    }

    if (tsk_verbose)
        tsk_fprintf(stderr, "Looking for %s\n", ipd.cur_dir);

    if (fs->dent_walk(fs, fs->root_inum,
                      TSK_FS_DENT_FLAG_ALLOC | TSK_FS_DENT_FLAG_UNALLOC,
                      ifind_path_act, (void *) &ipd)) {
        /* If we found files before the error was encountered, then
         * ignore it */
        if (ipd.found == 0) {
#ifdef TSK_WIN32
            free(cpath);
#endif
            return -1;
        }
        else {
            tsk_error_reset();
        }
    }


#ifdef TSK_WIN32
    free(cpath);
#endif

    if (1 == ipd.badpath) {
        if (tsk_verbose)
            tsk_fprintf(stderr, "Invalid path (%s is a file)\n",
                        fs_dent->name);
        *result = 0;
        return 1;
    }
    else if (0 == ipd.found) {
        if (tsk_verbose)
            tsk_printf("File not found: %s\n", ipd.cur_dir);
        *result = 0;
        return 1;
    }

    *result = ipd.addr;
    return 0;
}
Пример #13
0
/**
    Originally we used tsk_img_open_sing(), but that leads to calling ewf_open(),
    which in turn will fail if the L01 file has an incorrect filename extension.
    This function is a simpler version of ewf_open() which will not fail if the
    filename extension is wrong.
*/
TSK_IMG_INFO * TskL01Extract::openEwfSimple()
{
    const int a_num_img = 1;
    unsigned int a_ssize = 512;
    int result = 0;
    TSK_IMG_INFO *img_info = NULL;
    ewf::libewf_error_t *ewfError = NULL;
    ewf::IMG_EWF_INFO *ewf_info = NULL;

    try
    {
        // Make an absolute path (if it's relative) so that libewf doesn't cause 
        // an error when it tries to make it absolute.
        Poco::Path tempPath(TskUtilities::toUTF8(m_archivePath));
        tempPath.makeAbsolute();
        // We convert to unicode here because that is what the TSK_IMG_INFO structure requires.
        std::wstring ewfArchivePath = TskUtilities::toUTF16(tempPath.toString());

        if ((ewf_info = (ewf::IMG_EWF_INFO *) tsk_img_malloc(sizeof(ewf::IMG_EWF_INFO))) == NULL)
        {
            throw TskException("tsk_img_malloc");
        }
        img_info = (TSK_IMG_INFO *) ewf_info;

        if (ewf::libewf_handle_initialize(&(ewf_info->handle), &ewfError) != 1)
        {
            throw TskException("libewf_handle_initialize");
        }

        //int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images = (TSK_TCHAR **) tsk_malloc(a_num_img * sizeof(TSK_TCHAR *))) == NULL)
        {
            throw TskException("tsk_malloc");
        }

        if ((ewf_info->images[0] =
            (TSK_TCHAR *) tsk_malloc((TSTRLEN(ewfArchivePath.c_str()) + 1) * sizeof(TSK_TCHAR))) == NULL)
        {
            throw TskException("tsk_malloc 2");
        }
        TSTRNCPY(ewf_info->images[0], ewfArchivePath.c_str(), TSTRLEN(ewfArchivePath.c_str()) + 1);

        ///NOTE: libewf_handle_open_wide() will not open the file if the filename length is < 4 chars long.
        ewfError = NULL;
    #if defined( TSK_WIN32 )
        if (ewf::libewf_handle_open_wide(ewf_info->handle, (TSK_TCHAR * const *) ewf_info->images,
            ewf_info->num_imgs, ewf::LIBEWF_ACCESS_FLAG_READ, &ewfError) != 1)
    #else
        if (ewf::libewf_handle_open(ewf_info->handle,
                (char *const *) ewf_info->images,
                ewf_info->num_imgs, ewf::LIBEWF_OPEN_READ, &ewfError) != 1)
    #endif
        {
            throw TskException("libewf_handle_open_wide");
        }

        ewfError = NULL;
        if (ewf::libewf_handle_get_media_size(ewf_info->handle,
                (ewf::size64_t *) & (img_info->size), &ewfError) != 1)
        {
            throw TskException("libewf_handle_get_media_size");
        }

        ewfError = NULL;
        result = ewf::libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
            (uint8_t *) ewf_info->md5hash, 33, &ewfError);

        if (result == -1)
        {
            throw TskException("libewf_handle_get_utf8_hash_value_md5");
        }
        ewf_info->md5hash_isset = result;

        if (a_ssize != 0)
        {
            img_info->sector_size = a_ssize;
        }
        else
        {
            img_info->sector_size = 512;
        }

        img_info->itype   = TSK_IMG_TYPE_EWF_EWF;
        img_info->close   = ewf_image_close;
        img_info->read    = null_read;
        img_info->imgstat = null_imgstat;

        // initialize the read lock
        tsk_init_lock(&(ewf_info->read_lock));

        return img_info;
    }
    catch (TskException &ex)
    {
        std::ostringstream msg;
        msg << "openEwfSimple: TskException: " << ex.message();
        if (ewfError)
        {
            char errorString[512];
            errorString[0] = '\0';
            ewf::libewf_error_backtrace_sprint(ewfError, errorString, 512);
            msg << " - libewf error: " << errorString << std::endl;
        }
        LOGERROR(msg.str());
        free(ewf_info);
        return NULL;
    }
}
Пример #14
0
/** 
 * \internal
 * Open the set of disk images as a set of split raw images
 *
 * @param a_num_img Number of images in set
 * @param a_images List of disk image paths (in sorted order)
 * @param a_ssize Size of device sector in bytes (or 0 for default)
 *
 * @return NULL on error
 */
TSK_IMG_INFO *
raw_open(int a_num_img, const TSK_TCHAR * const a_images[],
    unsigned int a_ssize)
{
    IMG_RAW_INFO *raw_info;
    TSK_IMG_INFO *img_info;
    int i;
    TSK_OFF_T first_seg_size;

    if ((raw_info =
            (IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL)
        return NULL;

    img_info = (TSK_IMG_INFO *) raw_info;

    img_info->itype = TSK_IMG_TYPE_RAW;
    img_info->read = raw_read;
    img_info->close = raw_close;
    img_info->imgstat = raw_imgstat;

    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;
    raw_info->is_winobj = 0;

#if defined(TSK_WIN32) || defined(__CYGWIN__)
    /* determine if this is the path to a Windows device object */
    if ((a_images[0][0] == _TSK_T('\\'))
        && (a_images[0][1] == _TSK_T('\\'))
        && ((a_images[0][2] == _TSK_T('.')) || (a_images[0][2] == _TSK_T('?')))
        && (a_images[0][3] == _TSK_T('\\'))) {
        raw_info->is_winobj = 1;
    }
#endif

    /* Check that the first image file exists and is not a directory */
    first_seg_size = get_size(a_images[0], raw_info->is_winobj);
    if (first_seg_size < -1) {
        tsk_img_free(raw_info);
        return NULL;
    }

    /* see if there are more of them... */
    if ((a_num_img == 1) && (raw_info->is_winobj == 0)) {
        if ((raw_info->images =
                tsk_img_findFiles(a_images[0],
                    &raw_info->num_img)) == NULL) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_STAT);
            tsk_error_set_errstr
                ("raw_open: could not find segment files starting at \"%"
                PRIttocTSK "\"", a_images[0]);
            tsk_img_free(raw_info);
            return NULL;
        }
    }
    else {
        raw_info->num_img = a_num_img;
        raw_info->images =
            (TSK_TCHAR **) tsk_malloc(sizeof(TSK_TCHAR *) * a_num_img);
        if (raw_info->images == NULL) {
            tsk_img_free(raw_info);
            return NULL;
        }

        for (i = 0; i < raw_info->num_img; i++) {
            size_t len = TSTRLEN(a_images[i]);
            raw_info->images[i] =
                (TSK_TCHAR *) tsk_malloc(sizeof(TSK_TCHAR) * (len + 1));
            if (raw_info->images[i] == NULL) {
                int j;
                for (j = 0; j < i; j++) {
                    free(raw_info->images[j]);
                }
                free(raw_info->images);
                tsk_img_free(raw_info);
                return NULL;
            }
            TSTRNCPY(raw_info->images[i], a_images[i], len + 1);
        }
    }

    /* sanity check: when we have multiple segments, the size of
     * each must be known */
    if ((raw_info->num_img > 1) && (first_seg_size < 0)) {
        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "raw_open: file size is unknown in a segmented raw image\n");
        }

        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }

    /* initialize the split cache */
    raw_info->cptr = (int *) tsk_malloc(raw_info->num_img * sizeof(int));
    if (raw_info->cptr == NULL) {
        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }
    memset((void *) &raw_info->cache, 0,
        SPLIT_CACHE * sizeof(IMG_SPLIT_CACHE));
    raw_info->next_slot = 0;

    /* initialize the offset table and re-use the first segment
     * size gathered above */
    raw_info->max_off =
        (TSK_OFF_T *) tsk_malloc(raw_info->num_img * sizeof(TSK_OFF_T));
    if (raw_info->max_off == NULL) {
        free(raw_info->cptr);
        for (i = 0; i < raw_info->num_img; i++) {
            free(raw_info->images[i]);
        }
        free(raw_info->images);
        tsk_img_free(raw_info);
        return NULL;
    }
    img_info->size = first_seg_size;
    raw_info->max_off[0] = img_info->size;
    raw_info->cptr[0] = -1;
    if (tsk_verbose) {
        tsk_fprintf(stderr,
            "raw_open: segment: 0  size: %" PRIuOFF "  max offset: %"
            PRIuOFF "  path: %" PRIttocTSK "\n", first_seg_size,
            raw_info->max_off[0], raw_info->images[0]);
    }

    /* get size info for each file - we do not open each one because that
     * could cause us to run out of file decsriptors when we only need a few.
     * The descriptors are opened as needed */
    for (i = 1; i < raw_info->num_img; i++) {
        TSK_OFF_T size;
        raw_info->cptr[i] = -1;
        size = get_size(raw_info->images[i], raw_info->is_winobj);
        if (size < 0) {
            if (size == -1) {
                if (tsk_verbose) {
                    tsk_fprintf(stderr,
                        "raw_open: file size is unknown in a segmented raw image\n");
                }
            }
            free(raw_info->cptr);
            for (i = 0; i < raw_info->num_img; i++) {
                free(raw_info->images[i]);
            }
            free(raw_info->images);
            tsk_img_free(raw_info);
            return NULL;
        }

        /* add the size of this image to the total and save the current max */
        img_info->size += size;
        raw_info->max_off[i] = img_info->size;

        if (tsk_verbose) {
            tsk_fprintf(stderr,
                "raw_open: segment: %d  size: %" PRIuOFF "  max offset: %"
                PRIuOFF "  path: %" PRIttocTSK "\n", i, size,
                raw_info->max_off[i], raw_info->images[i]);
        }
    }

    return img_info;
}
Пример #15
0
int
main(int argc, char ** argv1)
{
    int ch;
    TSK_TCHAR *idx_type = NULL;
    TSK_TCHAR *db_file = NULL;
    TSK_TCHAR *lookup_file = NULL;
    unsigned int flags = 0;
    TSK_HDB_INFO *hdb_info;
    TSK_TCHAR **argv;
    bool create = false;
    bool addHash = false;

#ifdef TSK_WIN32
    // On Windows, get the wide arguments (mingw doesn't support wmain)
    argv = CommandLineToArgvW(GetCommandLineW(), &argc);
    if( argv == NULL) {    
        tsk_fprintf(stderr, "Error getting wide arguments\n");
        exit(1);
    }
#else
    argv = (TSK_TCHAR **)argv1;
#endif
    
    progname = argv[0];
    setlocale(LC_ALL, "");

    while ((ch = GETOPT(argc, argv, _TSK_T("cef:i:aqV"))) > 0) {
        switch (ch) {
        case _TSK_T('e'):
            flags |= TSK_HDB_FLAG_EXT;
            break;

        case _TSK_T('f'):
            lookup_file = OPTARG;
            break;

        case _TSK_T('i'):
            idx_type = OPTARG;
            break;

        case _TSK_T('c'):
            create = true;
            break;

        case _TSK_T('a'):
            addHash = true;
            break;

        case _TSK_T('q'):
            flags |= TSK_HDB_FLAG_QUICK;
            break;

        case _TSK_T('V'):
            tsk_version_print(stdout);
            exit(0);

        default:
            usage();
        }
    }
    
    if ((addHash) && ((idx_type != NULL) || (create))) {
        tsk_fprintf(stderr, "-a cannot be specified with -c or -i\n");
        usage();
    }

    if (OPTIND + 1 > argc) {
        tsk_fprintf(stderr,
                    "Error: You must provide the source hash database location\n");
        usage();
    }

    db_file = argv[OPTIND++];

    // Running in create mode (-c option). Make a new hash database and exit.
    if (create) {
        if (idx_type != NULL) {
            tsk_fprintf(stderr, "-c and -i cannot be specified at same time\n");
            usage();
        }
        
        TSK_TCHAR *ext = TSTRRCHR(db_file, _TSK_T('.'));    
        if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
            if (0 == tsk_hdb_create(db_file)) {
                tsk_fprintf(stdout, "New database %" PRIttocTSK" created\n", db_file);
                return 0;
            }
            else {
                tsk_fprintf(stderr, "Failed to create new database %" PRIttocTSK"\n", db_file);
                return 1;
            }        
        }
        else {
            tsk_fprintf(stderr, "New database path must end in .kdb extension\n");
            return 1;
        }
    }
        
    // Opening an existing database.    
    if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) {
        tsk_error_print(stderr);
        return 1;
    }
    
    // Now that the database is open and its type is known, if running in add hashes mode (-a option)
    // see if it takes updates.
    if (addHash && !tsk_hdb_accepts_updates(hdb_info)) {
        tsk_fprintf(stderr, "-a option specified, but the specified database does not allow hashes to be added\n");
        usage();
    }

    // Running in indexing mode (-i option). Create an index file and exit.
    if (idx_type != NULL) {
        if (lookup_file != NULL) {
            tsk_fprintf(stderr, "'-f' flag can't be used with '-i'\n");
            usage();
        }

        if (flags & TSK_HDB_FLAG_QUICK) {
            tsk_fprintf(stderr, "'-q' flag can't be used with '-i'\n");
            usage();
        }

        if (flags & TSK_HDB_FLAG_EXT) {
            tsk_fprintf(stderr, "'-e' flag can't be used with '-i'\n");
            usage();
        }

        if (!tsk_hdb_uses_external_indexes(hdb_info)) {
            tsk_fprintf(stderr, "Database does not use external indexes, can't be used with '-i'\n");
        }

        if (tsk_hdb_is_idx_only(hdb_info)) {
            tsk_fprintf(stderr, "Database is index only, can be used for look ups, but can't be used with '-i'\n");
        }

        if (tsk_hdb_make_index(hdb_info, idx_type)) {
            tsk_error_print(stderr);
            tsk_hdb_close(hdb_info);
            return 1;
        }
        
        tsk_fprintf(stdout, "Index created\n");
        tsk_hdb_close(hdb_info);
        return 0;
    }

    /* Either lookup hash values or add them to DB.
     * Check if the values were passed on the command line or via a file 
     */
    if (OPTIND < argc) {

        if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) {
            fprintf(stderr,
                    "Error: Only one hash can be given with quick option\n");
            usage();
        }

        if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) {
            fprintf(stderr, "'-e' flag can't be used with '-q'\n");
            usage();
        }

        if (lookup_file != NULL) {
            fprintf(stderr,
                    "Error: -f can't be used when hashes are also given\n");
            usage();
        }

        /* Loop through all provided hash values
         */
        while (OPTIND < argc) {
            char htmp[128];
            int i;
            int retval;

            // convert to char -- lazy way to deal with WCHARs..
            for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) {
                htmp[i] = (char) argv[OPTIND][i];
            }
            htmp[i] = '\0';

            if (addHash) {
                // Write a new hash to the database/index, if it's updateable
                //@todo support sha1 and sha2-256
                retval = tsk_hdb_add_entry(hdb_info, NULL, (const char *)htmp, NULL, NULL, NULL);
                if (retval == 1) {
                    printf("There was an error adding the hash.\n");
                    tsk_error_print(stderr);
                    return 1;
                }
                else if (retval == 0) {
                    printf("Hash %s added.\n", htmp);
                }
            }
            else {
                /* Perform lookup */
                retval = tsk_hdb_lookup_str(hdb_info, (const char *)htmp, 
                         (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
                if (retval == -1) {
                    tsk_error_print(stderr);
                    return 1;
                }
                if (flags & TSK_HDB_FLAG_QUICK) {
                    printf("%d\n", retval);
                }
                else if (retval == 0) {
                    print_notfound(htmp);
                }
            }
            OPTIND++;
        }
    }
    /* Hash were given from stdin or a file */
    else {
        char buf[100];

        /* If the file was specified, use that - otherwise stdin */
#ifdef TSK_WIN32
        HANDLE handle = NULL;
        if (lookup_file != NULL) {
            if ((handle = CreateFile(lookup_file, GENERIC_READ,
                                     FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
                                     0)) == INVALID_HANDLE_VALUE) {
                TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"),
                         lookup_file);
                exit(1);
            }
        }
        else {
            handle = GetStdHandle(STD_INPUT_HANDLE);
        }
#else
        FILE *handle = NULL;
        if (lookup_file != NULL) {
            handle = fopen(lookup_file, "r");
            if (!handle) {
                fprintf(stderr, "Error opening hash file: %s\n",
                        lookup_file);
                exit(1);
            }
        }
        else {
            handle = stdin;
        }
#endif

        while (1) {
            int retval;
            memset(buf, 0, 100);
#ifdef TSK_WIN32
            int done = 0;
            // win32 doesn't have a fgets equivalent, so we make an equivalent one
            for (int i = 0; i < 100; i++) {
                DWORD nread;

                if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) {
                    done = 1;
                    break;
                }
                // skip the windows CR
                else if (buf[i] == '\r') {
                    buf[i] = '\0';
                    i--;
                    continue;
                }
                else if (buf[i] == '\n') {
                    break;
                }
            }
            
            if (done)
                break;
#else
            if (NULL == fgets(buf, 100, handle)) {
                break;
            }
#endif

            /* Remove the newline */
            buf[strlen(buf) - 1] = '\0';

            retval =
                tsk_hdb_lookup_str(hdb_info, (const char *)buf, 
                        (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
            if (retval == -1) {
                tsk_error_print(stderr);
                return 1;
            }
            if (flags & TSK_HDB_FLAG_QUICK) {
                printf("%d\n", retval);
                break;
            }
            else if (retval == 0) {
                print_notfound(buf);
            }
        }
        
#ifdef TSK_WIN32
        if (lookup_file != NULL)
            CloseHandle(handle);
#else
        if (lookup_file != NULL)
            fclose(handle);
#endif
        
    }

    tsk_hdb_close(hdb_info);
    return 0;
}
Пример #16
0
/**
 * Open a hash database and index for lookup.
 *
 * @param db_file Path to database.
 * @param flags Flags for opening the database.  
 *
 * @return Poiner to hash database state structure or NULL on error
 */
TSK_HDB_INFO *
tsk_hdb_open(TSK_TCHAR * db_file, TSK_HDB_OPEN_ENUM flags)
{
    TSK_HDB_INFO *hdb_info;
    size_t flen;
    FILE *hDb;
    uint8_t dbtype = 0;

    if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
        /* Open the database file */
#ifdef TSK_WIN32
        {
            HANDLE hWin;

            if ((hWin = CreateFile(db_file, GENERIC_READ,
                                   FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
                                   0)) == INVALID_HANDLE_VALUE) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_OPEN;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "hdb_open: Error opening database file: %s",
                         db_file);
                return NULL;
            }
            hDb =
                _fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
            if (hDb == NULL) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_OPEN;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "hdb_open: Error converting Windows handle to C handle");
                return NULL;
            }
        }
#else
        if (NULL == (hDb = fopen(db_file, "r"))) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_OPEN;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_open: Error opening database file: %s", db_file);
            return NULL;
        }
#endif

        /* Try to figure out what type of DB it is */
        if (nsrl_test(hDb)) {
            dbtype = TSK_HDB_DBTYPE_NSRL_ID;
        }
        if (md5sum_test(hDb)) {
            if (dbtype != 0) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_UNKTYPE;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "hdb_open: Error determining DB type (MD5sum)");
                return NULL;
            }
            dbtype = TSK_HDB_DBTYPE_MD5SUM_ID;
        }
        if (hk_test(hDb)) {
            if (dbtype != 0) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_UNKTYPE;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "hdb_open: Error determining DB type (HK)");
                return NULL;
            }
            dbtype = TSK_HDB_DBTYPE_HK_ID;
        }
        if (dbtype == 0) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_UNKTYPE;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_open: Error determining DB type");
            return NULL;
        }
        fseeko(hDb, 0, SEEK_SET);
    }
    else {
        dbtype = TSK_HDB_DBTYPE_IDXONLY_ID;
        hDb = NULL;
    }

    if ((hdb_info = talloc(NULL, TSK_HDB_INFO)) == NULL)
        return NULL;

    hdb_info->hDb = hDb;

    /* Get database specific information */
    hdb_info->db_type = dbtype;
    switch (dbtype) {
    case TSK_HDB_DBTYPE_NSRL_ID:
        hdb_info->getentry = nsrl_getentry;
        hdb_info->makeindex = nsrl_makeindex;
        break;

    case TSK_HDB_DBTYPE_MD5SUM_ID:
        hdb_info->getentry = md5sum_getentry;
        hdb_info->makeindex = md5sum_makeindex;
        break;

    case TSK_HDB_DBTYPE_HK_ID:
        hdb_info->getentry = hk_getentry;
        hdb_info->makeindex = hk_makeindex;
        break;

    case TSK_HDB_DBTYPE_IDXONLY_ID:
        hdb_info->getentry = idxonly_getentry;
        hdb_info->makeindex = idxonly_makeindex;
        break;

    default:
        return NULL;
    }

    hdb_info->hash_type = 0;
    hdb_info->hash_len = 0;
    hdb_info->idx_fname = NULL;

    hdb_info->uns_fname = NULL;
    hdb_info->hIdxTmp = NULL;
    hdb_info->hIdx = NULL;

    hdb_info->idx_size = 0;
    hdb_info->idx_off = 0;

    hdb_info->idx_lbuf = NULL;


    /* Copy the database name into the structure */
    flen = TSTRLEN(db_file) + 8;        // + 32;

    hdb_info->db_fname =
        (TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
    if (hdb_info->db_fname == NULL) {
        talloc_free(hdb_info);
        return NULL;
    }
    TSTRNCPY(hdb_info->db_fname, db_file, flen);

    return hdb_info;
}
Пример #17
0
/** Initialize the TSK hash DB index file. This creates the intermediate file,
 * which will have entries added to it.  This file must be sorted before the 
 * process is finished.
 *
 * @param hdb_info Hash database state structure
 * @param htype String of index type to create
 *
 * @return 1 on error and 0 on success
 *
 */
uint8_t
tsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
{
    size_t flen;
    char dbtmp[32];
    int i;


    /* Use the string of the index/hash type to figure out some
     * settings */

    // convert to char -- cheating way to deal with WCHARs..
    for (i = 0; i < 31 && htype[i] != '\0'; i++) {
        dbtmp[i] = (char) htype[i];
    }
    dbtmp[i] = '\0';

    if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) {

        if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_ARG;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: database detected as: %d index creation as: %d",
                     hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
            return 1;
        }
        hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
    }
    else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) {
        if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_ARG;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: database detected as: %d index creation as: %d",
                     hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
            return 1;
        }
        hdb_setuphash(hdb_info, TSK_HDB_HTYPE_SHA1_ID);
    }
    else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) {
        if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_ARG;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: database detected as: %d index creation as: %d",
                     hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID);
            return 1;
        }
        hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
    }
    else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) {
        if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_ARG;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: database detected as: %d index creation as: %d",
                     hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID);
            return 1;
        }
        hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
    }
    else {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_ARG;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "hdb_idxinitialize: Unknown database type request: %s",
                 dbtmp);
        return 1;
    }

    /* Setup the internal hash information */
    if (hdb_setuphash(hdb_info, hdb_info->hash_type)) {
        return 1;
    }

    /* Make the name for the unsorted intermediate index file */
    flen = TSTRLEN(hdb_info->db_fname) + 32;
    hdb_info->uns_fname =
        (TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
    if (hdb_info->uns_fname == NULL) {
        return 1;
    }
    TSNPRINTF(hdb_info->uns_fname, flen,
              _TSK_T("%s-%") PRIcTSK _TSK_T("-ns.idx"), hdb_info->db_fname,
              TSK_HDB_HTYPE_STR(hdb_info->hash_type));


    /* Create temp unsorted file of offsets */
#ifdef TSK_WIN32
    {
        HANDLE hWin;

        if ((hWin = CreateFile(hdb_info->uns_fname, GENERIC_WRITE,
                               0, 0, CREATE_ALWAYS, 0, 0)) ==
            INVALID_HANDLE_VALUE) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_CREATE;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: %s GetFileSize: %d",
                     hdb_info->uns_fname, GetLastError());
            return 1;
        }

        hdb_info->hIdxTmp =
            _fdopen(_open_osfhandle((intptr_t) hWin, _O_WRONLY), "wb");
        if (hdb_info->hIdxTmp == NULL) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_OPEN;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "hdb_idxinitialize: Error converting Windows handle to C handle");
            talloc_free(hdb_info);
            return 1;
        }
    }
#else
    if (NULL == (hdb_info->hIdxTmp = fopen(hdb_info->uns_fname, "w"))) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_CREATE;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "Error creating temp index file: %s",
                 hdb_info->uns_fname);
        return 1;
    }
#endif

    /* Print the header */
    switch (hdb_info->db_type) {
    case TSK_HDB_DBTYPE_NSRL_ID:
        fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
                TSK_HDB_DBTYPE_NSRL_STR);
        break;
    case TSK_HDB_DBTYPE_MD5SUM_ID:
        fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
                TSK_HDB_DBTYPE_MD5SUM_STR);
        break;
    case TSK_HDB_DBTYPE_HK_ID:
        fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
                TSK_HDB_DBTYPE_HK_STR);
        break;
        /* Used to stop warning messages about missing enum value */
    case TSK_HDB_DBTYPE_IDXONLY_ID:
    default:
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_CREATE;
        snprintf(tsk_errstr, TSK_ERRSTR_L, "idxinit: Invalid db type\n");
        return 1;
    }

    return 0;
}
Пример #18
0
int
MAIN(int argc, TSK_TCHAR ** argv)
{
    TSK_TCHAR *imgtype = NULL;
    TSK_TCHAR *fstype = NULL;
    TSK_FS_INFO *fs;
    TSK_IMG_INFO *img;
    int ch;
    TSK_TCHAR *cp;
    extern int optind;
    DADDR_T block = 0;          /* the block to find */
    INUM_T parinode = 0;
    TSK_TCHAR *path = NULL;
    SSIZE_T imgoff = 0;

    progname = argv[0];
    setlocale(LC_ALL, "");

    localflags = 0;

    while ((ch = getopt(argc, argv, _TSK_T("ad:f:i:ln:o:p:vVz:"))) > 0) {
        switch (ch) {
        case _TSK_T('a'):
            localflags |= TSK_FS_IFIND_ALL;
            break;
        case _TSK_T('d'):
            if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_PATH)) {
                tsk_fprintf(stderr,
                    "error: only one address type can be given\n");
                usage();
            }
            localflags |= TSK_FS_IFIND_DATA;
            block = TSTRTOULL(optarg, &cp, 0);
            if (*cp || *cp == *optarg) {
                TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"),
                    optarg);
                usage();
            }
            break;
        case _TSK_T('f'):
            fstype = optarg;
            if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
                tsk_fs_print_types(stderr);
                exit(1);
            }
            break;
        case _TSK_T('i'):
            imgtype = optarg;
            if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
                tsk_img_print_types(stderr);
                exit(1);
            }
            break;
        case _TSK_T('l'):
            localflags |= TSK_FS_IFIND_PAR_LONG;
            break;
        case _TSK_T('n'):
            {
                size_t len;
                if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_DATA)) {
                    tsk_fprintf(stderr,
                        "error: only one address type can be given\n");
                    usage();
                }
                localflags |= TSK_FS_IFIND_PATH;
                len = (TSTRLEN(optarg) + 1) * sizeof(TSK_TCHAR);
                if ((path = (TSK_TCHAR *) tsk_malloc(len)) == NULL) {
                    tsk_error_print(stderr);
                    exit(1);
                }
                TSTRNCPY(path, optarg, TSTRLEN(optarg) + 1);
                break;
            }
        case 'o':
            if ((imgoff = tsk_parse_offset(optarg)) == -1) {
                tsk_error_print(stderr);
                exit(1);
            }
            break;
        case 'p':
            if (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA)) {
                tsk_fprintf(stderr,
                    "error: only one address type can be given\n");
                usage();
            }
            localflags |= TSK_FS_IFIND_PAR;
            if (tsk_parse_inum(optarg, &parinode, NULL, NULL, NULL)) {
                TFPRINTF(stderr, _TSK_T("Invalid inode address: %s\n"),
                    optarg);
                usage();
            }
            break;
        case 'v':
            tsk_verbose++;
            break;
        case 'V':
            tsk_print_version(stdout);
            exit(0);
        case 'z':
            {
                TSK_TCHAR envstr[32];
                TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg);
                if (0 != PUTENV(envstr)) {
                    tsk_fprintf(stderr, "error setting environment");
                    exit(1);
                }

                /* we should be checking this somehow */
                TZSET();
                break;
            }
        case '?':
        default:
            tsk_fprintf(stderr, "Invalid argument: %s\n", argv[optind]);
            usage();
        }
    }

    /* We need at least one more argument */
    if (optind >= argc) {
        tsk_fprintf(stderr, "Missing image name\n");
        if (path)
            free(path);
        usage();
    }

    if (0 ==
        (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA |
                TSK_FS_IFIND_PAR))) {
        tsk_fprintf(stderr, "-d, -n, or -p must be given\n");
        usage();
    }


    if ((img =
            tsk_img_open(imgtype, argc - optind,
                (const TSK_TCHAR **) &argv[optind])) == NULL) {
        tsk_error_print(stderr);
        if (path)
            free(path);
        exit(1);
    }

    if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
        tsk_error_print(stderr);
        if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
            tsk_fs_print_types(stderr);
        img->close(img);
        if (path)
            free(path);
        exit(1);
    }

    if (localflags & TSK_FS_IFIND_DATA) {
        if (block > fs->last_block) {
            tsk_fprintf(stderr,
                "Block %" PRIuDADDR
                " is larger than last block in image (%" PRIuDADDR
                ")\n", block, fs->last_block);
            fs->close(fs);
            img->close(img);
            exit(1);
        }
        else if (block == 0) {
            tsk_printf("Inode not found\n");
            fs->close(fs);
            img->close(img);
            exit(1);
        }
        if (tsk_fs_ifind_data(fs, localflags, block)) {
            tsk_error_print(stderr);
            fs->close(fs);
            img->close(img);
            exit(1);
        }
    }

    else if (localflags & TSK_FS_IFIND_PAR) {
        if ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) !=
            TSK_FS_INFO_TYPE_NTFS_TYPE) {
            tsk_fprintf(stderr, "-p works only with NTFS file systems\n");
            fs->close(fs);
            img->close(img);
            exit(1);
        }
        else if (parinode > fs->last_inum) {
            tsk_fprintf(stderr,
                "Meta data %" PRIuINUM
                " is larger than last MFT entry in image (%" PRIuINUM
                ")\n", parinode, fs->last_inum);
            fs->close(fs);
            img->close(img);
            exit(1);
        }
        if (tsk_fs_ifind_par(fs, localflags, parinode)) {
            tsk_error_print(stderr);
            fs->close(fs);
            img->close(img);
            exit(1);
        }
    }

    else if (localflags & TSK_FS_IFIND_PATH) {
        int retval;
        INUM_T inum;

        if (-1 == (retval =
                tsk_fs_ifind_path(fs, localflags, path, &inum))) {
            tsk_error_print(stderr);
            fs->close(fs);
            img->close(img);
            free(path);
            exit(1);
        }
        free(path);
        if (retval == 1)
            tsk_printf("File not found\n");
        else
            tsk_printf("%" PRIuINUM "\n", inum);
    }
    fs->close(fs);
    img->close(img);

    exit(0);
}
Пример #19
0
TSK_IMG_INFO *
ewf_open(int a_num_img, const TSK_TCHAR * const a_images[],
    unsigned int a_ssize)
{
    IMG_EWF_INFO *ewf_info;
    TSK_IMG_INFO *img_info;

#if !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    uint8_t md5_hash[16];
#endif
    if ((ewf_info =
            (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
        NULL) {
        return NULL;
    }

    img_info = (TSK_IMG_INFO *) ewf_info;


    // See if they specified only the first of the set...
    if (a_num_img == 1) {
#ifdef TSK_WIN32
        ewf_info->num_imgs = libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
        ewf_info->num_imgs = libewf_glob(a_images[0], TSTRLEN(a_images[0]), LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
        if (ewf_info->num_imgs <= 0) {
            free(ewf_info);
            return NULL;
        }
        if (tsk_verbose)
            tsk_fprintf(stderr, "ewf_open: found %d segment files via libewf_glob\n", ewf_info->num_imgs);
    }
    else {
        int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images =
                (TSK_TCHAR **) tsk_malloc(a_num_img *
                    sizeof(TSK_TCHAR *))) == NULL) {
            free(ewf_info);
            return NULL;
        }
        for (i = 0; i < a_num_img; i++) {
            if ((ewf_info->images[i] =
                    (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
                            1) * sizeof(TSK_TCHAR))) == NULL) {
                free(ewf_info);
                return NULL;
            }
            TSTRNCPY(ewf_info->images[i], a_images[i],
                TSTRLEN(a_images[i]) + 1);
        }
    }


    /* check the magic before we call the library open */
    //if (img_file_header_signature_ncmp(images[0],
    //        "\x45\x56\x46\x09\x0d\x0a\xff\x00", 8) != 1) {
#if defined (TSK_WIN32)
    if (libewf_check_file_signature_wide(ewf_info->images[0]) == 0) {
#else
    if (libewf_check_file_signature(ewf_info->images[0]) == 0) {
#endif
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
        tsk_error_set_errstr("ewf_open: Not an EWF file");
        free(ewf_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an EWF file\n");

        return NULL;
    }

#if defined (TSK_WIN32)
    ewf_info->handle =
        libewf_open_wide((wchar_t * const *) ewf_info->images,
        ewf_info->num_imgs, LIBEWF_OPEN_READ);
#else
    ewf_info->handle =
        libewf_open((char *const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#endif
    if (ewf_info->handle == NULL) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening", ewf_info->images[0]);
        free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return NULL;
    }

    // 2007 version
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    img_info->size = libewf_get_media_size(ewf_info->handle);
    ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
        ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
// libewf-20080322 version
#else
    if (libewf_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size))
        != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image", ewf_info->images[0]);
        free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return NULL;
    }

    if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
        int md5_string_iterator = 0;
        int md5_hash_iterator;
        for (md5_hash_iterator = 0; md5_hash_iterator < 16;
            md5_hash_iterator++) {
            int digit = md5_hash[md5_hash_iterator] / 16;
            if (digit <= 9)
                ewf_info->md5hash[md5_string_iterator++] = (char)
                    ('0' + digit);
            else
                ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
                    (digit - 10));
            digit = md5_hash[md5_hash_iterator] % 16;
            if (digit <= 9)
                ewf_info->md5hash[md5_string_iterator++] =
                    (char) ('0' + digit);
            else
                ewf_info->md5hash[md5_string_iterator++] = (char) ('a' +
                    (digit - 10));
        }
        ewf_info->md5hash_isset = 1;
    }
#endif
    img_info->sector_size = 512;
    if (a_ssize)
        img_info->sector_size = a_ssize;


    img_info->itype = TSK_IMG_TYPE_EWF_EWF;
    img_info->read = ewf_image_read;
    img_info->close = ewf_image_close;
    img_info->imgstat = ewf_image_imgstat;

    return img_info;
}
/**
* \ingroup hashdblib
*
* Opens an existing hash database. 
* @param file_path Path to database or database index file.
* @param flags Flags for opening the database.  
* @return Pointer to a struct representing the hash database or NULL on error.
*/
TSK_HDB_INFO *
    tsk_hdb_open(TSK_TCHAR *file_path, TSK_HDB_OPEN_ENUM flags)
{
    const char *func_name = "tsk_hdb_open";
    uint8_t file_path_is_idx_path = 0;
    TSK_TCHAR *db_path = NULL;
    TSK_TCHAR *ext = NULL; 
    FILE *hDb = NULL;
    FILE *hIdx = NULL;
    TSK_HDB_DBTYPE_ENUM db_type = TSK_HDB_DBTYPE_INVALID_ID;
    TSK_HDB_INFO *hdb_info = NULL;

    if (NULL == file_path) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_HDB_ARG);
        tsk_error_set_errstr("%s: NULL file path", func_name);
        return NULL;
    }

    // Determine the hash database path using the given file path. Note that
    // direct use of an external index file for a text-format hash database for 
    // simple yes/no lookups is both explicitly and implicitly supported. For 
    // such "index only" databases, the path to where the hash database is 
    // normally required to be is still needed because of the way the code for
    // text-format hash databases has been written.
    db_path = (TSK_TCHAR*)tsk_malloc((TSTRLEN(file_path) + 1) * sizeof(TSK_TCHAR));
    if (NULL == db_path) {
        return NULL;
    }

    ext = TSTRRCHR(file_path, _TSK_T('-'));    
    if ((NULL != ext) && 
        (TSTRLEN(ext) == 8 || TSTRLEN(ext) == 9) && 
        ((TSTRCMP(ext, _TSK_T("-md5.idx")) == 0) || TSTRCMP(ext, _TSK_T("-sha1.idx")) == 0)) {
            // The file path extension suggests the path is for an external index
            // file generated by TSK for a text-format hash database. In this case, 
            // the database path should be the given file path sans the extension 
            // because the hash database, if it is available for lookups, is 
            // required to be be in the same directory as the external index file.
            file_path_is_idx_path = 1;
            TSTRNCPY(db_path, file_path, (ext - file_path));
    }
    else {
        TSTRNCPY(db_path, file_path, TSTRLEN(file_path));
    }

    // Determine the database type.
    if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
        hDb = hdb_open_file(db_path);
        if (NULL != hDb) {
            db_type = hdb_determine_db_type(hDb, db_path);
            if (TSK_HDB_DBTYPE_INVALID_ID == db_type) {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
                tsk_error_set_errstr("%s: error determining hash database type of %"PRIttocTSK, func_name, db_path);
                free(db_path);
                return NULL;
            }
        }
        else {
            if (file_path_is_idx_path) {
                db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
            }
            else {
                tsk_error_reset();
                tsk_error_set_errno(TSK_ERR_HDB_OPEN);
                tsk_error_set_errstr("%s: failed to open %"PRIttocTSK, func_name, db_path);
                free(db_path);
                return NULL;
            }
        }
    }
    else {
        db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
    }

    switch (db_type) {
    case TSK_HDB_DBTYPE_NSRL_ID:
        hdb_info = nsrl_open(hDb, db_path);
        break;
    case TSK_HDB_DBTYPE_MD5SUM_ID:
        hdb_info = md5sum_open(hDb, db_path);
        break;
    case TSK_HDB_DBTYPE_ENCASE_ID:
        hdb_info = encase_open(hDb, db_path);
        break;
    case TSK_HDB_DBTYPE_HK_ID:
        hdb_info = hk_open(hDb, db_path);
        break;
    case TSK_HDB_DBTYPE_IDXONLY_ID:
        hIdx = hdb_open_file(file_path);
        if (NULL == hIdx) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_HDB_OPEN);
            tsk_error_set_errstr("%s: database is index only, failed to open index %"PRIttocTSK, func_name, db_path);
            free(db_path);
            return NULL;
        } 
        else {
            fclose(hIdx);
        }
        hdb_info = idxonly_open(db_path);
        break;
    case TSK_HDB_DBTYPE_SQLITE_ID: 
        if (NULL != hDb) {
            fclose(hDb);
        }
        hdb_info = sqlite_hdb_open(db_path);
        break;

        // included to prevent compiler warnings that it is not used
    case TSK_HDB_DBTYPE_INVALID_ID:
        break;
    }

    if (NULL != db_path) {
        free(db_path);
    }

    return hdb_info;
}
Пример #21
0
TSK_IMG_INFO *
ewf_open(int a_num_img,
    const TSK_TCHAR * const a_images[], unsigned int a_ssize)
{
#if defined( HAVE_LIBEWF_V2_API )
    char error_string[TSK_EWF_ERROR_STRING_SIZE];

    libewf_error_t *ewf_error = NULL;
    int result = 0;
#elif !defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    uint8_t md5_hash[16];
#endif

    IMG_EWF_INFO *ewf_info = NULL;
    TSK_IMG_INFO *img_info = NULL;

#if !defined( HAVE_LIBEWF_V2_API)
    if (tsk_verbose)
        libewf_set_notify_values(stderr, 1);
#endif

    if ((ewf_info =
            (IMG_EWF_INFO *) tsk_img_malloc(sizeof(IMG_EWF_INFO))) ==
        NULL) {
        return NULL;
    }
    img_info = (TSK_IMG_INFO *) ewf_info;

    // See if they specified only the first of the set...
    ewf_info->used_ewf_glob = 0;
    if (a_num_img == 1) {
#if defined( HAVE_LIBEWF_V2_API)
#ifdef TSK_WIN32
        if (libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
                LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
                &ewf_info->num_imgs, &ewf_error) == -1) {
#else
        if (libewf_glob(a_images[0], TSTRLEN(a_images[0]),
                LIBEWF_FORMAT_UNKNOWN, &ewf_info->images,
                &ewf_info->num_imgs, &ewf_error) == -1) {
#endif
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_MAGIC);

            getError(ewf_error, error_string);
            tsk_error_set_errstr("ewf_open: Not an E01 glob name (%s)",
                error_string);
            libewf_error_free(&ewf_error);
            tsk_img_free(ewf_info);
            return NULL;
        }

#else                           //use v1

#ifdef TSK_WIN32
        ewf_info->num_imgs =
            libewf_glob_wide(a_images[0], TSTRLEN(a_images[0]),
            LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#else
        ewf_info->num_imgs =
            libewf_glob(a_images[0], TSTRLEN(a_images[0]),
            LIBEWF_FORMAT_UNKNOWN, &ewf_info->images);
#endif
        if (ewf_info->num_imgs <= 0) {
            tsk_error_reset();
            tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
            tsk_error_set_errstr("ewf_open: Not an E01 glob name");

            tsk_img_free(ewf_info);
            return NULL;
        }
#endif                          // end v1

        ewf_info->used_ewf_glob = 1;
        if (tsk_verbose)
            tsk_fprintf(stderr,
                "ewf_open: found %d segment files via libewf_glob\n",
                ewf_info->num_imgs);
    }
    else {
        int i;
        ewf_info->num_imgs = a_num_img;
        if ((ewf_info->images =
                (TSK_TCHAR **) tsk_malloc(a_num_img *
                    sizeof(TSK_TCHAR *))) == NULL) {
            tsk_img_free(ewf_info);
            return NULL;
        }
        for (i = 0; i < a_num_img; i++) {
            if ((ewf_info->images[i] =
                    (TSK_TCHAR *) tsk_malloc((TSTRLEN(a_images[i]) +
                            1) * sizeof(TSK_TCHAR))) == NULL) {
                tsk_img_free(ewf_info);
                return NULL;
            }
            TSTRNCPY(ewf_info->images[i], a_images[i],
                TSTRLEN(a_images[i]) + 1);
        }
    }


#if defined( HAVE_LIBEWF_V2_API )

    // Check the file signature before we call the library open
#if defined( TSK_WIN32 )
    if (libewf_check_file_signature_wide(a_images[0], &ewf_error) != 1)
#else
    if (libewf_check_file_signature(a_images[0], &ewf_error) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open: Not an EWF file (%s)",
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Not an EWF file\n");
        }
        return (NULL);
    }

    if (libewf_handle_initialize(&(ewf_info->handle), &ewf_error) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error initializing handle (%s)", a_images[0], error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Unable to create EWF handle\n");
        }
        return (NULL);
    }
#if defined( TSK_WIN32 )
    if (libewf_handle_open_wide(ewf_info->handle,
            (wchar_t * const *) ewf_info->images,
            ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#else
    if (libewf_handle_open(ewf_info->handle,
            (char *const *) ewf_info->images,
            ewf_info->num_imgs, LIBEWF_OPEN_READ, &ewf_error) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening (%s)", a_images[0], error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return (NULL);
    }
    if (libewf_handle_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size), &ewf_error) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image (%s)", a_images[0],
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    result = libewf_handle_get_utf8_hash_value_md5(ewf_info->handle,
        (uint8_t *) ewf_info->md5hash, 33, &ewf_error);

    if (result == -1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);

        getError(ewf_error, error_string);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting MD5 of image (%s)", a_images[0],
            error_string);
        libewf_error_free(&ewf_error);

        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    ewf_info->md5hash_isset = result;

#else                           // V1 API

    // Check the file signature before we call the library open
#if defined( TSK_WIN32 )
    if (libewf_check_file_signature_wide(a_images[0]) != 1)
#else
    if (libewf_check_file_signature(a_images[0]) != 1)
#endif
    {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
        tsk_error_set_errstr("ewf_open: Not an EWF file");
        tsk_img_free(ewf_info);
        if (tsk_verbose)
            tsk_fprintf(stderr, "Not an EWF file\n");

        return NULL;
    }

#if defined( TSK_WIN32 )
    ewf_info->handle = libewf_open_wide(
        (wchar_t * const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#else
    ewf_info->handle = libewf_open(
        (char *const *) ewf_info->images, ewf_info->num_imgs,
        LIBEWF_OPEN_READ);
#endif
    if (ewf_info->handle == NULL) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error opening", ewf_info->images[0]);
        tsk_img_free(ewf_info);

        if (tsk_verbose != 0) {
            tsk_fprintf(stderr, "Error opening EWF file\n");
        }
        return (NULL);
    }
#if defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 )
    // 2007 version
    img_info->size = libewf_get_media_size(ewf_info->handle);

    ewf_info->md5hash_isset = libewf_get_stored_md5_hash(ewf_info->handle,
        ewf_info->md5hash, LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5);
#else
    // libewf-20080322 version
    if (libewf_get_media_size(ewf_info->handle,
            (size64_t *) & (img_info->size)) != 1) {
        tsk_error_reset();
        tsk_error_set_errno(TSK_ERR_IMG_OPEN);
        tsk_error_set_errstr("ewf_open file: %" PRIttocTSK
            ": Error getting size of image", ewf_info->images[0]);
        tsk_img_free(ewf_info);
        if (tsk_verbose) {
            tsk_fprintf(stderr, "Error getting size of EWF file\n");
        }
        return (NULL);
    }
    if (libewf_get_md5_hash(ewf_info->handle, md5_hash, 16) == 1) {
        int md5_string_iterator = 0;
        int md5_hash_iterator = 0;

        for (md5_hash_iterator = 0;
            md5_hash_iterator < 16; md5_hash_iterator++) {
            int digit = md5_hash[md5_hash_iterator] / 16;

            if (digit <= 9) {
                ewf_info->md5hash[md5_string_iterator++] =
                    '0' + (char) digit;
            }
            else {
                ewf_info->md5hash[md5_string_iterator++] =
                    'a' + (char) (digit - 10);
            }
            digit = md5_hash[md5_hash_iterator] % 16;

            if (digit <= 9) {
                ewf_info->md5hash[md5_string_iterator++] =
                    '0' + (char) digit;
            }
            else {
                ewf_info->md5hash[md5_string_iterator++] =
                    'a' + (char) (digit - 10);
            }
        }
        ewf_info->md5hash_isset = 1;
    }
#endif                          /* defined( LIBEWF_STRING_DIGEST_HASH_LENGTH_MD5 ) */
#endif                          /* defined( HAVE_LIBEWF_V2_API ) */
    if (a_ssize != 0) {
        img_info->sector_size = a_ssize;
    }
    else {
        img_info->sector_size = 512;
    }
    img_info->itype = TSK_IMG_TYPE_EWF_EWF;
    img_info->read = &ewf_image_read;
    img_info->close = &ewf_image_close;
    img_info->imgstat = &ewf_image_imgstat;

    // initialize the read lock
    tsk_init_lock(&(ewf_info->read_lock));

    return (img_info);
}
Пример #22
0
void CUploadListCtrl::DrawItemInfo(LPDRAWITEMSTRUCT lpDrawItemStruct)
{
	CDC* pDC = CDC::FromHandle(lpDrawItemStruct->hDC);
	CRect rtItem = lpDrawItemStruct->rcItem;

	VideoInfo item = UploadQueueManager::GetInstance().GetItem(GetItemText(lpDrawItemStruct->itemID, 0).GetString());

	int cw = rtItem.left;
	// 上传状态
	int iStateWidth = GetColumnWidth(0);
	CRect rtState(cw, rtItem.top, cw + iStateWidth - 1, rtItem.bottom);
	CDC StateMemDC;
	StateMemDC.CreateCompatibleDC(pDC);
	CBitmap* pOldBitmap = NULL;
	COLORREF oldColor;
	switch(item.m_dwState)
	{
	case VideoInfo::Complete:
		oldColor = pDC->SetTextColor(RGB(0, 0, 0));
		pOldBitmap = StateMemDC.SelectObject(&m_CompleteStateBmpObj);
		break;
	case VideoInfo::Validate:
	case VideoInfo::Uploading:
		oldColor = pDC->SetTextColor(RGB(0, 0, 0));
		pOldBitmap = StateMemDC.SelectObject(&m_RunningStateBmpObj);
		break;
	case VideoInfo::WaitKey:
	case VideoInfo::Wait:
		oldColor = pDC->SetTextColor(RGB(0, 0, 0));
		pOldBitmap = StateMemDC.SelectObject(&m_WaitStateBmpObj);
		break;
	case VideoInfo::Delete:
	case VideoInfo::Pause:
		oldColor = pDC->SetTextColor(RGB(0, 0, 0));
		pOldBitmap = StateMemDC.SelectObject(&m_PauseStateBmpObj);
		break;
	default:
		oldColor = pDC->SetTextColor(RGB(255, 0, 0));
		pOldBitmap = StateMemDC.SelectObject(&m_FailStateBmpObj);
		break;
	}
	int descX, descY, descWidth, descHeight, srcX, srcY, srcWidth, srcHeight;
	if(rtState.Height() > rtState.Width())
	{
		if(rtState.Width() < 16)
		{
			descX = rtState.left;
			descY = rtState.top;
			descWidth = rtState.Width();
			descHeight = rtState.Height();
			srcX = (16 - rtState.Width()) / 2;
			srcY = (16 - rtState.Height()) / 2;
			srcWidth = rtState.Width();
			srcHeight = rtState.Height();
		}
		else
		{
			descX = (rtState.Width() - 16) / 2 + rtState.left;
			descY = (rtState.Height() - 16) / 2 + rtState.top;
			descWidth = 16;
			descHeight = 16;
			srcX = 0;
			srcY = 0;
			srcWidth = 16;
			srcHeight = 16;
		}
	}
	else
	{
		if(rtState.Height() < 16)
		{
			descX = rtState.left;
			descY = rtState.top;
			descWidth = rtState.Width();
			descHeight = rtState.Height();
			srcX = (16 - rtState.Width()) / 2;
			srcY = (16 - rtState.Height()) / 2;
			srcWidth = rtState.Width();
			srcHeight = rtState.Height();
		}
		else
		{
			descX = (rtState.Width() - 16) / 2 + rtState.left;
			descY = (rtState.Height() - 16) / 2 + rtState.top;
			descWidth = 16;
			descHeight = 16;
			srcX = 0;
			srcY = 0;
			srcWidth = 16;
			srcHeight = 16;
		}
	}
	pDC->TransparentBlt(descX, descY, descWidth, descHeight, &StateMemDC, srcX, srcY, srcWidth, srcHeight, RGB(255, 0, 255));
	StateMemDC.SelectObject(pOldBitmap);
	StateMemDC.DeleteDC();
	cw += iStateWidth;

	// 视频名称
	int iNameWidth = GetColumnWidth(1);
	CRect rtName(cw, rtItem.top, cw + iNameWidth - 1, rtItem.bottom);
	pDC->DrawText(item.m_strVideoName.c_str(), item.m_strVideoName.length(), &rtName, DT_LEFT|DT_VCENTER|DT_SINGLELINE);
	cw += iNameWidth;
	pDC->SetTextColor(oldColor);


	// 上传通道
	int iUploadChannelWidth = GetColumnWidth(2);
	CRect rtUploadChannel(cw, rtItem.top, cw + iUploadChannelWidth - 1, rtItem.bottom);
	if(item.m_dwVideoUploadChannel == VideoInfo::FastChannel)
	{
		oldColor = pDC->SetTextColor(RGB(0xFF, 0, 0));
		pDC->DrawText(TEXT("快速"), TSTRLEN(TEXT("快速")), &rtUploadChannel, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
		pDC->SetTextColor(oldColor);
	}
	else
	{
		pDC->DrawText(TEXT("普通"), TSTRLEN(TEXT("普通")), &rtUploadChannel, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
	}
	cw += iUploadChannelWidth;


	// 优先级
	int iVideoPriorityWidth = GetColumnWidth(3);
	CString strVideoPriority;
	switch(item.m_dwPriority)
	{
	case VideoInfo::Normal:
		oldColor = pDC->SetTextColor(RGB(0, 0, 0));
		strVideoPriority = TEXT("中");
		break;
	case VideoInfo::Important:
		oldColor = pDC->SetTextColor(RGB(0xFF, 0x99, 0));
		strVideoPriority = TEXT("高");
		break;
	default:
		oldColor = pDC->SetTextColor(RGB(255, 0, 0));
		strVideoPriority = TEXT("低");
		break;
	}
	CRect rtVideoPriority(cw, rtItem.top, cw + iVideoPriorityWidth - 1, rtItem.bottom);
	pDC->DrawText(strVideoPriority, strVideoPriority.GetLength(), &rtVideoPriority, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
	cw += iVideoPriorityWidth;
	pDC->SetTextColor(oldColor);

	// 视频大小
	int iVideoSizeWidth = GetColumnWidth(4);
	double szFile = item.m_dwFileSize;
	szFile = szFile / 1048576;
	CString strVideoSize;
	strVideoSize.Format(TEXT("%.2fMB "), szFile);
	CRect rtVideoSize(cw, rtItem.top, cw + iVideoSizeWidth - 1, rtItem.bottom);
	pDC->DrawText(strVideoSize, strVideoSize.GetLength(), &rtVideoSize, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
	cw += iVideoSizeWidth;

	// 上传进度
	int iUploadProcessWidth = GetColumnWidth(5);
	double dUploadProcess = (double)item.m_dwPosition / item.m_dwFileSize;
	CRect rtUploadProcess(cw + 1, rtItem.top + 1, cw + iUploadProcessWidth - 2, rtItem.bottom - 1);
	pDC->Rectangle(&rtUploadProcess);
	
	CDC dc;
	dc.CreateCompatibleDC(pDC);
	CBitmap* pOldBitmapObj = dc.SelectObject(&m_ProcessBackgroundBmpObj);
	pDC->TransparentBlt(rtUploadProcess.left + 1, rtUploadProcess.top + 1, (int)(rtUploadProcess.Width() * dUploadProcess) - 2, rtUploadProcess.Height() - 2, &dc, 0, 0, 1, 15, RGB(0, 0, 0));
	dc.SelectObject(pOldBitmapObj);
	dc.DeleteDC();

	CString strProcess;
	strProcess.Format(TEXT("%.2f%%"), dUploadProcess * 100);
	pDC->DrawText(strProcess, strProcess.GetLength(), &rtUploadProcess, DT_CENTER|DT_VCENTER|DT_SINGLELINE);
	cw += iUploadProcessWidth;

	// 上传速度
	int iSpeedWidth = GetColumnWidth(6);
	CString strSpeed;
	if(item.m_dwState == VideoInfo::Uploading)
	{
		double dTmpSpeed = item.m_dSpeed * 1000 / 1024;
		if(dTmpSpeed >= 1024)
		{
			dTmpSpeed = dTmpSpeed / 1024;
			strSpeed.Format(TEXT("%.2fMB/s "), dTmpSpeed);
		}
		else
			strSpeed.Format(TEXT("%.2fKB/s "), dTmpSpeed);
	}
	CRect rtSpeed(cw, rtItem.top, cw + iSpeedWidth - 1, rtItem.bottom);
	pDC->DrawText(strSpeed, strSpeed.GetLength(), &rtSpeed, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
	cw += iSpeedWidth;

	// 剩余时间
	int iRemainTimeWidth = GetColumnWidth(7);
	CString strRemainTime = item.m_strNeedTime.c_str();
	strRemainTime.Append(TEXT(" "));
	CRect rtRemainTime(cw, rtItem.top, cw + iRemainTimeWidth - 1, rtItem.bottom);
	pDC->DrawText(strRemainTime, strRemainTime.GetLength(), &rtRemainTime, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
	cw += iRemainTimeWidth;

	// 码率
	int iBitRateWidth = GetColumnWidth(8);
	CString strBitRate;
	double dTmpBitRate = (double)item.m_iVideoBitRate / 1000;
	strBitRate.Format(TEXT("%.2fkbps "), dTmpBitRate);
	CRect rtBitRate(cw, rtItem.top, cw + iBitRateWidth - 1, rtItem.bottom);
	pDC->DrawText(strBitRate, strBitRate.GetLength(), &rtBitRate, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
	cw += iBitRateWidth;

	// 时长
	int iVideoDurationWidth = GetColumnWidth(9);
	CString strVideoDuration = item.m_strVideoDuration.c_str();
	strVideoDuration.Append(TEXT(" "));
	CRect rtVideoDuration(cw, rtItem.top, cw + iVideoDurationWidth - 1, rtItem.bottom);
	pDC->DrawText(strVideoDuration, strVideoDuration.GetLength(), &rtVideoDuration, DT_RIGHT|DT_VCENTER|DT_SINGLELINE);
	cw += iVideoDurationWidth;

	// 备注
	int iRemarkWidth = GetColumnWidth(10);
	CString strRemark = item.m_strErrorMessage.c_str();
	CRect rtRemark(cw, rtItem.top, cw + iRemarkWidth - 1, rtItem.bottom);
	pDC->DrawText(strRemark, strRemark.GetLength(), &rtRemark, DT_LEFT|DT_VCENTER|DT_SINGLELINE);
	cw += iRemarkWidth;
}