/* Prints the store information to a stream
* Returns 1 if successful or -1 on error
*/
int info_handle_store_fprint(
info_handle_t *info_handle,
int store_index,
libvshadow_store_t *store,
libcerror_error_t **error )
{
uint8_t guid_buffer[ 16 ];
libcstring_system_character_t filetime_string[ 32 ];
libcstring_system_character_t guid_string[ 48 ];
libfdatetime_filetime_t *filetime = NULL;
libfguid_identifier_t *guid = NULL;
libvshadow_block_t *block = NULL;
static char *function = "info_handle_store_fprint";
size64_t volume_size = 0;
uint64_t value_64bit = 0;
uint32_t attribute_flags = 0;
int block_index = 0;
int number_of_blocks = 0;
int result = 0;
if( info_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid info handle.",
function );
return( -1 );
}
fprintf(
info_handle->notify_stream,
"Store: %d\n",
store_index + 1 );
if( libfdatetime_filetime_initialize(
&filetime,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create filetime.",
function );
goto on_error;
}
if( libfguid_identifier_initialize(
&guid,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create GUID.",
function );
goto on_error;
}
if( libvshadow_store_get_identifier(
store,
guid_buffer,
16,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d identifier.",
function,
store_index );
goto on_error;
}
if( libfguid_identifier_copy_from_byte_stream(
guid,
guid_buffer,
16,
LIBFGUID_ENDIAN_LITTLE,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy byte stream to GUID.",
function );
goto on_error;
}
#if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER )
result = libfguid_identifier_copy_to_utf16_string(
guid,
(uint16_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#else
result = libfguid_identifier_copy_to_utf8_string(
guid,
(uint8_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#endif
if( result != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy GUID to string.",
function );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tIdentifier\t\t: %" PRIs_LIBCSTRING_SYSTEM "\n",
guid_string );
if( libvshadow_store_get_copy_set_identifier(
store,
guid_buffer,
16,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d shadow copy set identifier.",
function,
store_index );
goto on_error;
}
if( libfguid_identifier_copy_from_byte_stream(
guid,
guid_buffer,
16,
LIBFGUID_ENDIAN_LITTLE,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy byte stream to GUID.",
function );
goto on_error;
}
#if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER )
result = libfguid_identifier_copy_to_utf16_string(
guid,
(uint16_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#else
result = libfguid_identifier_copy_to_utf8_string(
guid,
(uint8_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#endif
if( result != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy GUID to string.",
function );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tShadow copy set ID\t: %" PRIs_LIBCSTRING_SYSTEM "\n",
guid_string );
if( libvshadow_store_get_creation_time(
store,
&value_64bit,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d creation time.",
function,
store_index );
goto on_error;
}
if( libfdatetime_filetime_copy_from_64bit(
filetime,
value_64bit,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_CONVERSION,
LIBCERROR_CONVERSION_ERROR_GENERIC,
"%s: unable to create filetime.",
function );
goto on_error;
}
#if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER )
result = libfdatetime_filetime_copy_to_utf16_string(
filetime,
(uint16_t *) filetime_string,
32,
LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
error );
#else
result = libfdatetime_filetime_copy_to_utf8_string(
filetime,
(uint8_t *) filetime_string,
32,
LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
error );
#endif
if( result != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy filetime to string.",
function );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tCreation time\t\t: %" PRIs_LIBCSTRING_SYSTEM " UTC\n",
filetime_string );
if( libvshadow_store_get_copy_identifier(
store,
guid_buffer,
16,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d shadow copy identifier.",
function,
store_index );
goto on_error;
}
if( libfguid_identifier_copy_from_byte_stream(
guid,
guid_buffer,
16,
LIBFGUID_ENDIAN_LITTLE,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy byte stream to GUID.",
function );
goto on_error;
}
#if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER )
result = libfguid_identifier_copy_to_utf16_string(
guid,
(uint16_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#else
result = libfguid_identifier_copy_to_utf8_string(
guid,
(uint8_t *) guid_string,
48,
LIBFGUID_STRING_FORMAT_FLAG_USE_LOWER_CASE,
error );
#endif
if( result != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy GUID to string.",
function );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tShadow copy ID\t\t: %" PRIs_LIBCSTRING_SYSTEM "\n",
guid_string );
if( libvshadow_store_get_volume_size(
store,
&volume_size,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d volume size.",
function,
store_index );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tVolume size\t\t: %" PRIu64 " bytes\n",
volume_size );
if( libvshadow_store_get_attribute_flags(
store,
&attribute_flags,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d attribute flags.",
function,
store_index );
goto on_error;
}
/* TODO print a description of the flags */
fprintf(
info_handle->notify_stream,
"\tAttribute flags\t\t: 0x%08" PRIx32 "\n",
attribute_flags );
if( libfguid_identifier_free(
&guid,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free GUID.",
function );
goto on_error;
}
if( libfdatetime_filetime_free(
&filetime,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free filetime.",
function );
goto on_error;
}
if( info_handle->show_allocation_information != 0 )
{
if( libvshadow_store_get_number_of_blocks(
store,
&number_of_blocks,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve store: %d number of blocks.",
function,
store_index );
goto on_error;
}
fprintf(
info_handle->notify_stream,
"\tNumber of blocks\t: %d\n",
number_of_blocks );
for( block_index = 0;
block_index < number_of_blocks;
block_index++ )
{
if( libvshadow_store_get_block_by_index(
store,
block_index,
&block,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve block: %d.",
function,
block_index );
goto on_error;
}
if( info_handle_block_fprint(
info_handle,
block_index,
block,
error ) != 1 )
{
goto on_error;
}
if( libvshadow_block_free(
&block,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free block: %d.",
function,
block_index );
goto on_error;
}
}
}
fprintf(
info_handle->notify_stream,
"\n" );
return( 1 );
on_error:
if( block != NULL )
{
libvshadow_block_free(
&block,
NULL );
}
if( guid != NULL )
{
libfguid_identifier_free(
&guid,
NULL );
}
if( filetime != NULL )
{
libfdatetime_filetime_free(
&filetime,
NULL );
}
return( -1 );
}
/* Reads the memory image information
* Returns 1 if successful or -1 on error
*/
int libhibr_io_handle_read_memory_image_information(
libhibr_io_handle_t *io_handle,
libbfio_handle_t *file_io_handle,
libcerror_error_t **error )
{
uint8_t *page_data = NULL;
static char *function = "libhibr_io_handle_read_memory_image_information";
ssize_t read_count = 0;
uint64_t page_size = 0;
uint32_t memory_image_information_data_size = 0;
#if defined( HAVE_DEBUG_OUTPUT )
libcstring_system_character_t filetime_string[ 32 ];
libfdatetime_filetime_t *filetime = NULL;
uint64_t value_64bit = 0;
uint32_t value_32bit = 0;
uint8_t value_8bit = 0;
int result = 0;
#endif
if( io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid IO handle.",
function );
return( -1 );
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: reading memory image information at offset: 0.\n",
function );
}
#endif
if( libbfio_handle_seek_offset(
file_io_handle,
0,
SEEK_SET,
error ) == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_SEEK_FAILED,
"%s: unable to seek memory image information offset: 0.",
function );
goto on_error;
}
page_data = (uint8_t *) memory_allocate(
sizeof( uint8_t ) * io_handle->page_size );
if( page_data == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_MEMORY,
LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
"%s: unable to create memory image information data.",
function );
goto on_error;
}
read_count = libbfio_handle_read_buffer(
file_io_handle,
page_data,
io_handle->page_size,
error );
if( read_count != (ssize_t) io_handle->page_size )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read memory image information.",
function );
goto on_error;
}
/* TODO do empty page test */
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_t *) page_data )->size,
memory_image_information_data_size );
if( memory_image_information_data_size > 0 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: memory image information data:\n",
function );
libcnotify_print_data(
page_data,
(size_t) memory_image_information_data_size,
0 );
}
#endif
/* TODO
if( memory_compare(
( (hibr_memory_image_information_t *) page_data )->signature,
hibr_file_signature,
8 ) != 0 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_UNSUPPORTED_VALUE,
"%s: unsupported file signature.",
function );
goto on_error;
}
*/
if( memory_image_information_data_size == sizeof( hibr_memory_image_information_winxp_32bit_t ) )
{
io_handle->file_type = LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT;
}
else if( memory_image_information_data_size == sizeof( hibr_memory_image_information_winxp_64bit_t ) )
{
io_handle->file_type = LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT;
}
else if( memory_image_information_data_size == sizeof( hibr_memory_image_information_win7_32bit_t ) )
{
io_handle->file_type = LIBHIBR_FILE_TYPE_WINDOWS_7_32BIT;
}
else if( memory_image_information_data_size == sizeof( hibr_memory_image_information_win7_64bit_t ) )
{
io_handle->file_type = LIBHIBR_FILE_TYPE_WINDOWS_7_64BIT;
}
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->page_size,
page_size );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->page_size,
page_size );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_win7_32bit_t *) page_data )->page_size,
page_size );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_64BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_win7_64bit_t *) page_data )->page_size,
page_size );
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: signature\t\t: %c%c%c%c\n",
function,
( (hibr_memory_image_information_t *) page_data )->signature[ 0 ],
( (hibr_memory_image_information_t *) page_data )->signature[ 1 ],
( (hibr_memory_image_information_t *) page_data )->signature[ 2 ],
( (hibr_memory_image_information_t *) page_data )->signature[ 3 ] );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->version,
value_32bit );
libcnotify_printf(
"%s: version\t\t: %" PRIu32 "\n",
function,
value_32bit );
}
else if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_win7_32bit_t *) page_data )->image_type,
value_32bit );
libcnotify_printf(
"%s: image type\t\t: %" PRIu32 "\n",
function,
value_32bit );
}
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_t *) page_data )->checksum,
value_32bit );
libcnotify_printf(
"%s: checksum\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
libcnotify_printf(
"%s: size\t\t\t: %" PRIu32 "\n",
function,
memory_image_information_data_size );
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->page_number,
value_64bit );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->page_number,
value_64bit );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_win7_32bit_t *) page_data )->page_number,
value_64bit );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_64BIT )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_win7_64bit_t *) page_data )->page_number,
value_64bit );
}
libcnotify_printf(
"%s: page number\t\t: %" PRIu64 "\n",
function,
value_64bit );
libcnotify_printf(
"%s: page size\t\t: %" PRIu64 "\n",
function,
page_size );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->image_type,
value_32bit );
}
else
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->image_type,
value_32bit );
}
libcnotify_printf(
"%s: image type\t\t: %" PRIu32 "\n",
function,
value_32bit );
}
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown1,
value_32bit );
libcnotify_printf(
"%s: unknown1\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
}
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->system_time,
value_64bit );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_32BIT )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_win7_32bit_t *) page_data )->system_time,
value_64bit );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_7_64BIT )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_win7_64bit_t *) page_data )->system_time,
value_64bit );
}
if( libfdatetime_filetime_initialize(
&filetime,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create filetime.",
function );
goto on_error;
}
if( libfdatetime_filetime_copy_from_64bit(
filetime,
value_64bit,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy byte stream to filetime.",
function );
goto on_error;
}
#if defined( LIBCSTRING_HAVE_WIDE_SYSTEM_CHARACTER )
result = libfdatetime_filetime_copy_to_utf16_string(
filetime,
(uint16_t *) filetime_string,
32,
LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
error );
#else
result = libfdatetime_filetime_copy_to_utf8_string(
filetime,
(uint8_t *) filetime_string,
32,
LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
error );
#endif
if( result != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_COPY_FAILED,
"%s: unable to copy filetime to string.",
function );
goto on_error;
}
libcnotify_printf(
"%s: system time\t\t: %" PRIs_LIBCSTRING_SYSTEM " UTC\n",
function,
filetime_string );
if( libfdatetime_filetime_free(
&filetime,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free filetime.",
function );
goto on_error;
}
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->interrupt_time,
value_64bit );
}
libcnotify_printf(
"%s: interrupt time\t\t: 0x%08" PRIx64 "\n",
function,
value_64bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->feature_flags,
value_32bit );
}
libcnotify_printf(
"%s: feature flags\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
value_8bit = ( (hibr_memory_image_information_winxp_32bit_t *) page_data )->hibernation_flags;
}
libcnotify_printf(
"%s: hibernation flags\t: 0x%02" PRIx8 "\n",
function,
value_8bit );
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
libcnotify_printf(
"%s: unknown2:\n",
function );
libcnotify_print_data(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown2,
3,
0 );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT )
{
libcnotify_printf(
"%s: unknown1:\n",
function );
libcnotify_print_data(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown1,
3,
0 );
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown2,
value_32bit );
libcnotify_printf(
"%s: unknown2\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
}
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown3,
value_32bit );
}
libcnotify_printf(
"%s: unknown3\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown4,
value_32bit );
}
libcnotify_printf(
"%s: unknown4\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint64_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown5,
value_64bit );
}
libcnotify_printf(
"%s: unknown5\t\t: 0x%08" PRIx64 "\n",
function,
value_64bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->number_of_free_pages,
value_32bit );
}
libcnotify_printf(
"%s: number of free pages\t: %" PRIu32 "\n",
function,
value_32bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown6,
value_32bit );
}
libcnotify_printf(
"%s: unknown6\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown7,
value_32bit );
}
libcnotify_printf(
"%s: unknown7\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown8,
value_32bit );
libcnotify_printf(
"%s: unknown8\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
}
if( ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
|| ( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT ) )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->number_of_pages,
value_32bit );
}
libcnotify_printf(
"%s: number of pages\t: %" PRIu32 "\n",
function,
value_32bit );
if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_32BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown8,
value_32bit );
libcnotify_printf(
"%s: unknown8\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown9,
value_32bit );
libcnotify_printf(
"%s: unknown9\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
libcnotify_printf(
"%s: unknown10:\n",
function );
libcnotify_print_data(
( (hibr_memory_image_information_winxp_32bit_t *) page_data )->unknown10,
72,
0 );
}
else if( io_handle->file_type == LIBHIBR_FILE_TYPE_WINDOWS_XP_64BIT )
{
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown8,
value_32bit );
libcnotify_printf(
"%s: unknown8\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
byte_stream_copy_to_uint32_little_endian(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown9,
value_32bit );
libcnotify_printf(
"%s: unknown9\t\t: 0x%08" PRIx32 "\n",
function,
value_32bit );
libcnotify_printf(
"%s: unknown10:\n",
function );
libcnotify_print_data(
( (hibr_memory_image_information_winxp_64bit_t *) page_data )->unknown10,
72,
0 );
}
else
{
libcnotify_printf(
"\n" );
}
}
#endif
}
#if defined( HAVE_DEBUG_OUTPUT )
else if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: page data:\n",
function );
libcnotify_print_data(
page_data,
io_handle->page_size,
LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA );
}
#endif
/* TODO print trailing data */
/* TODO page size sanity check */
io_handle->page_size = (size_t) page_size;
/* TODO memory blocks page number sanity check */
memory_free(
page_data );
page_data = NULL;
return( 1 );
on_error:
#if defined( HAVE_DEBUG_OUTPUT )
if( filetime != NULL )
{
libfdatetime_filetime_free(
&filetime,
NULL );
}
#endif
if( page_data != NULL )
{
memory_free(
page_data );
}
return( -1 );
}
