nsrl_index.c

linux下开发的针对所有磁盘的数据恢复的源码

/*
 * The Sleuth Kit
 *
 * Brian Carrier [carrier <at> sleuthkit [dot] org]
 * Copyright (c) 2003-2008 Brian Carrier.  All rights reserved
 *
 *
 * This software is distributed under the Common Public License 1.0
 */

#include "tsk_hashdb_i.h"

/**
 * \file nsrl_index.c
 * NSRL specific functions to read the database.
 */

 /**
  * Version of NSRL Database
  */
enum TSK_HDB_NSRL_FORM_ENUM {
    TSK_HDB_NSRL_FORM1 = (1 << 0),      ///< Version 1
    TSK_HDB_NSRL_FORM2 = (1 << 1)       ///< Version 2
};
typedef enum TSK_HDB_NSRL_FORM_ENUM TSK_HDB_NSRL_FORM_ENUM;


/**
 * Analyze the header line of the database to determine the version of NSRL
 *
 * @param str line from the database file
 *
 * @return version or -1 on error
 */
static int
get_format_ver(char *str)
{

/*
 "SHA-1","FileName","FileSize","ProductCode","OpSystemCode","MD4","MD5","CRC32","SpecialCode"
*/
    if ((str[9] == 'F') && (str[20] == 'F') && (str[24] == 'S') &&
        (str[31] == 'P') && (str[45] == 'O'))
        return TSK_HDB_NSRL_FORM1;

/*
"SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","Specia
lCode"
*/
    else if ((str[9] == 'M') && (str[15] == 'C') && (str[23] == 'F') &&
             (str[34] == 'F') && (str[45] == 'P'))
        return TSK_HDB_NSRL_FORM2;

    tsk_error_reset();
    tsk_errno = TSK_ERR_HDB_CORRUPT;
    snprintf(tsk_errstr, TSK_ERRSTR_L,
             "nsrl: Unknown header format: %s\n", str);
    return -1;
}

/**
 * Test the file to see if it is an NSRL database
 *
 * @param hFile File handle to hash database
 *
 * @return 1 if NSRL and 0 if not
 */
uint8_t
nsrl_test(FILE * hFile)
{
    char buf[TSK_HDB_MAXLEN];

    fseeko(hFile, 0, SEEK_SET);
    if (NULL == fgets(buf, TSK_HDB_MAXLEN, hFile))
        return 0;

    if (strlen(buf) < 45)
        return 0;

    // Basic checks in first field
    if ((buf[0] != '"') || (buf[1] != 'S') || (buf[2] != 'H') ||
        (buf[3] != 'A') || (buf[4] != '-') || (buf[5] != '1') ||
        (buf[6] != '"'))
        return 0;

    if (-1 == get_format_ver(buf))
        return 0;

    return 1;
}

/**
 * Perform a basic check on a string to see if it starts with quotes
 * and contains a possible SHA-1 value
 *
 * @param x string to test
 * @return 1 if NSRL and 0 if not
 */
#define is_valid_nsrl(x) \
	( (strlen((x)) > TSK_HDB_HTYPE_SHA1_LEN + 4) && \
	((x)[0] == '"') && ((x)[TSK_HDB_HTYPE_SHA1_LEN + 1] == '"') && \
	((x)[TSK_HDB_HTYPE_SHA1_LEN + 2] == ',') && ((x)[TSK_HDB_HTYPE_SHA1_LEN + 3] == '"') )


/**
 * Parse a line from the NSRL database and set pointers to the SHA1 and Name.  This will modify
 * the input text by adding NULL values!
 *
 * @param str String to parse
 * @param sha1 Pointer to a pointer that will contain location of SHA1 in original text
 * @param name Pointer to a pointer that will contain location of the name in original text
 * @param ver Version of NSRL we are parsing
 *
 * @return 1 on error and 0 on success
 */
static uint8_t
nsrl_parse_sha1(char *str, char **sha1, char **name, int ver)
{
    char *ptr = NULL;

    /* Sanity check */
    if (is_valid_nsrl(str) == 0) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_CORRUPT;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_parse_sha1: Invalid string to parse: %s", str);
        return 1;
    }

    /* Do they want the hash? */
    if (sha1 != NULL) {
        /* set the hash pointer to just the SHA value (past the ") */
        ptr = &str[1];
        ptr[TSK_HDB_HTYPE_SHA1_LEN] = '\0';

        /* Final sanity check to make sure there are no ',' in hash */
        if (NULL != strchr(ptr, ',')) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_CORRUPT;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "nsrl_parse_sha1: Invalid string to parse (commas after SHA1): %s",
                     ptr);
            return 1;
        }

        /* Assign the argument if it is not NULL */
        *sha1 = ptr;
    }

    /* Do they want the name? */
    if (name != NULL) {
        if (ver == TSK_HDB_NSRL_FORM1) {
            /* Extract out the name  - the field after SHA1 */
            ptr = &str[TSK_HDB_HTYPE_SHA1_LEN + 4];     // 4 = 3 " and 1 ,
            *name = ptr;

            if (NULL == (ptr = strchr(ptr, ','))) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_parse_sha1: Invalid string to parse (commas after name): %s",
                         ptr);
                return 1;
            }

            /* Seek back to cover the final " */
            ptr[-1] = '\0';
        }
        else if (ver == TSK_HDB_NSRL_FORM2) {
            /* Extract out the name  - the field after SHA1, MD5, and CRC */
            ptr =
                &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3 +
                     TSK_HDB_HTYPE_MD5_LEN + 3 + TSK_HDB_HTYPE_CRC32_LEN +
                     3];
            *name = ptr;

            if (NULL == (ptr = strchr(ptr, ','))) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_parse_sha1: Invalid string to parse (commas after name): %s",
                         ptr);
                return 1;
            }

            /* Seek back to cover the final " */
            ptr[-1] = '\0';
        }
    }

    return 0;
}

/**
 * Parse a line from the NSRL database and set pointers to the MD5 and Name.  This will modify
 * the input text by adding NULL values!
 *
 * @param str String to parse
 * @param md5 Pointer to a pointer that will contain location of MD5 in original text
 * @param name Pointer to a pointer that will contain location of the name in original text
 * @param ver Version of NSRL we are parsing
 *
 * @return 1 on error and 0 on success
 */
static uint8_t
nsrl_parse_md5(char *str, char **md5, char **name, int ver)
{
    char *ptr = NULL;
    int cnt = 0;

    /* Sanity check */
    if (is_valid_nsrl(str) == 0) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_CORRUPT;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_parse_md5: Invalid string to parse: %s", str);
        return 1;
    }

    if ((md5 == NULL) && (name == NULL))
        return 0;

    if (ver == TSK_HDB_NSRL_FORM1) {
        ptr = str;

        /* Cycle through the fields to extract name and MD5
         *
         * 1. before name
         * 2. before size
         * 3. before prod code
         * 4. before OS
         * 5. before MD4
         * 6. before MD5
         */
        cnt = 0;
        while (NULL != (ptr = strchr(ptr, ','))) {
            cnt++;

            /* Begining of the name */
            if ((cnt == 1) && (name != NULL)) {
                *name = &ptr[2];
                /* We utilize the other loop code to find the end of
                 * the name */
            }
            /* end of the name */
            else if ((cnt == 2) && (name != NULL)) {
                if (ptr[-1] != '"') {
                    tsk_error_reset();
                    tsk_errno = TSK_ERR_HDB_CORRUPT;
                    snprintf(tsk_errstr, TSK_ERRSTR_L,
                             "nsrl_parse_md5: Missing Quote after name: %s",
                             (char *) name);
                    return 1;
                }

                ptr[-1] = '\0';

                if (md5 == NULL)
                    return 0;
            }
            /* MD5 value */
            else if ((cnt == 6) && (md5 != NULL)) {
                /* Do a length check and more sanity checks */
                if ((strlen(ptr) < 2 + TSK_HDB_HTYPE_MD5_LEN)
                    || (ptr[1] != '"')
                    || (ptr[2 + TSK_HDB_HTYPE_MD5_LEN] != '"')) {
                    tsk_error_reset();
                    tsk_errno = TSK_ERR_HDB_CORRUPT;
                    snprintf(tsk_errstr, TSK_ERRSTR_L,
                             "nsrl_parse_md5: Invalid MD5 value: %s", ptr);
                    return 1;
                }

                ptr = &ptr[2];
                ptr[TSK_HDB_HTYPE_MD5_LEN] = '\0';

                *md5 = ptr;

                /* Final sanity check */
                if (NULL != strchr(ptr, ',')) {
                    tsk_error_reset();
                    tsk_errno = TSK_ERR_HDB_CORRUPT;
                    snprintf(tsk_errstr, TSK_ERRSTR_L,
                             "nsrl_parse_md5: Missing comma after MD5: %s",
                             (char *) md5);
                    return 1;
                }

                return 0;
            }

            /* If the next field is in quotes then we need to skip to the
             * next quote and ignore any ',' in there
             */
            if (ptr[1] == '"') {
                if (NULL == (ptr = strchr(&ptr[2], '"'))) {
                    tsk_error_reset();
                    tsk_errno = TSK_ERR_HDB_CORRUPT;
                    snprintf(tsk_errstr, TSK_ERRSTR_L,
                             "nsrl_parse_md5: Error advancing past quote");
                    return 1;
                }
            }
            else {
                ptr++;
            }
        }
    }
    else if (ver == TSK_HDB_NSRL_FORM2) {
        /* Do they want the hash? */
        if (md5 != NULL) {
            /* set the hash pointer to just the MD5 value (past the SHA1") */
            ptr = &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3];
            ptr[TSK_HDB_HTYPE_MD5_LEN] = '\0';