nsrl_index.c

linux下开发的针对所有磁盘的数据恢复的源码

            /* Final sanity check to make sure there are no ',' in hash */
            if (NULL != strchr(ptr, ',')) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_parse_md5: Comma in MD5 value: %s", ptr);
                return 1;
            }
            *md5 = ptr;
        }

        /* do they want the name */
        if (name != NULL) {
            /* Extract out the name  - the field after SHA1, MD5, and CRC */
            ptr =
                &str[1 + TSK_HDB_HTYPE_SHA1_LEN + 3 +
                     TSK_HDB_HTYPE_MD5_LEN + 3 + TSK_HDB_HTYPE_CRC32_LEN +
                     3];
            *name = ptr;

            if (NULL == (ptr = strchr(ptr, ','))) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_parse_md5: Missing comma after name: %s",
                         (char *) name);
                return 1;
            }

            /* Seek back to cover the final " */
            ptr -= 1;
            *ptr = '\0';
        }
        return 0;
    }
    tsk_error_reset();
    tsk_errno = TSK_ERR_HDB_ARG;
    snprintf(tsk_errstr, TSK_ERRSTR_L,
             "nsrl_parse_md5: Invalid version: %d\n", ver);
    return 1;
}




/**
 * Process the database to create a sorted index of it. Consecutive
 * entries with the same hash value are not added to the index, but
 * will be found during lookup.
 *
 * @param hdb_info Hash database to make index of.
 * @param dbtype Type of database 
 *
 * @return 1 on error and 0 on success.
 */
uint8_t
nsrl_makeindex(TSK_HDB_INFO * hdb_info, TSK_TCHAR * dbtype)
{
    size_t i, len;
    char buf[TSK_HDB_MAXLEN];
    char *hash = NULL, phash[TSK_HDB_HTYPE_SHA1_LEN + 1];
    TSK_OFF_T offset = 0;
    int ver = 0;
    int db_cnt = 0, idx_cnt = 0, ig_cnt = 0;

    if (tsk_hdb_idxinitialize(hdb_info, dbtype)) {
        snprintf(tsk_errstr2, TSK_ERRSTR_L, "nsrl_makeindex");
        return 1;
    }

    /* Status */
    if (tsk_verbose)
        TFPRINTF(stderr, _TSK_T("Extracting Data from Database (%s)\n"),
                 hdb_info->db_fname);

    /* Allocate a buffer for the previous hash value */
    memset(phash, '0', TSK_HDB_HTYPE_SHA1_LEN + 1);

    /* read the file */
    fseek(hdb_info->hDb, 0, SEEK_SET);
    for (i = 0; NULL != fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb);
         offset += len, i++) {

        len = strlen(buf);

        /* Get the version of the database on the first time around */
        if (i == 0) {
            if ((ver = get_format_ver(buf)) == -1) {
                return 1;
            }
            ig_cnt++;
            continue;
        }

        /* Parse the line */
        if (hdb_info->hash_type & TSK_HDB_HTYPE_SHA1_ID) {
            if (nsrl_parse_sha1(buf, &hash, NULL, ver)) {
                ig_cnt++;
                continue;
            }
        }
        else if (hdb_info->hash_type & TSK_HDB_HTYPE_MD5_ID) {
            if (nsrl_parse_md5(buf, &hash, NULL, ver)) {
                ig_cnt++;
                continue;
            }
        }

        db_cnt++;

        /* We only want to add one of each hash to the index */
        if (memcmp(hash, phash, hdb_info->hash_len) == 0) {
            continue;
        }

        /* Add the entry to the index */
        if (tsk_hdb_idxaddentry(hdb_info, hash, offset)) {
            snprintf(tsk_errstr2, TSK_ERRSTR_L, "nsrl_makeindex");
            return 1;
        }

        idx_cnt++;

        /* Set the previous has value */
        strncpy(phash, hash, hdb_info->hash_len + 1);
    }

    if (idx_cnt > 0) {
        if (tsk_verbose) {
            fprintf(stderr, "  Valid Database Entries: %d\n", db_cnt);
            fprintf(stderr,
                    "  Invalid Database Entries (headers or errors): %d\n",
                    ig_cnt);
            fprintf(stderr, "  Index File Entries %s: %d\n",
                    (idx_cnt == db_cnt) ? "" : "(optimized)", idx_cnt);
        }

        /* Close and sort the index */
        if (tsk_hdb_idxfinalize(hdb_info)) {
            snprintf(tsk_errstr2, TSK_ERRSTR_L, "nsrl_makeindex");
            return 1;
        }
    }
    else {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_CORRUPT;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_makeindex: No valid entries found in database");
        return 1;
    }

    return 0;
}



/**
 * Find the corresponding name at a
 * given offset.  The offset was likely determined from the index.
 * The entries in the DB following the one specified are also processed
 * if they have the same hash value and their name is different. 
 * The callback is called for each entry. 
 *
 * @param hdb_info Database to get data from.
 * @param hash MD5/SHA-1 hash value that was searched for
 * @param offset Byte offset where hash value should be located in db_file
 * @param flags (not used)
 * @param action Callback used for each entry found in lookup
 * @param cb_ptr Pointer to data passed to callback
 *
 * @return 1 on error and 0 on success
 */
uint8_t
nsrl_getentry(TSK_HDB_INFO * hdb_info, const char *hash, TSK_OFF_T offset,
              TSK_HDB_FLAG_ENUM flags,
              TSK_HDB_LOOKUP_FN action, void *cb_ptr)
{
    char buf[TSK_HDB_MAXLEN], *name, *cur_hash, pname[TSK_HDB_MAXLEN];
    int found = 0;
    int ver;

    if (tsk_verbose)
        fprintf(stderr,
                "nsrl_getentry: Lookup up hash %s at offset %" PRIuOFF
                "\n", hash, offset);

    if ((hdb_info->hash_type == TSK_HDB_HTYPE_MD5_ID)
        && (strlen(hash) != TSK_HDB_HTYPE_MD5_LEN)) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_ARG;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_getentry: Invalid hash value (expected to be MD5): %s\n",
                 hash);
        return 1;
    }
    else if ((hdb_info->hash_type == TSK_HDB_HTYPE_SHA1_ID)
             && (strlen(hash) != TSK_HDB_HTYPE_SHA1_LEN)) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_ARG;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_getentry: Invalid hash value (expected to be SHA1): %s\n",
                 hash);
        return 1;
    }

    /* read the header line ... -- this should be done only once... */
    fseeko(hdb_info->hDb, 0, SEEK_SET);
    if (NULL == fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb)) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_READDB;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_getentry: Error reading NSRLFile.txt header\n");
        return 1;
    }

    if ((ver = get_format_ver(buf)) == -1) {
        snprintf(tsk_errstr2, TSK_ERRSTR_L, "nsrl_getentry");
        return 1;
    }

    memset(pname, '0', TSK_HDB_MAXLEN);

    /* Loop so that we can find consecutive occurances of the same hash */
    while (1) {
        size_t len;

        if (0 != fseeko(hdb_info->hDb, offset, SEEK_SET)) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_READDB;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "nsrl_getentry: Error seeking to get file name: %lu",
                     (unsigned long) offset);
            return 1;
        }

        if (NULL == fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb)) {
            if (feof(hdb_info->hDb))
                break;

            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_READDB;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "nsrl_getentry: Error reading database");
            return 1;
        }

        len = strlen(buf);
        if (len < TSK_HDB_HTYPE_SHA1_LEN + 5) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_HDB_CORRUPT;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                     "nsrl_getentry: Invalid entry in database (too short): %s",
                     buf);
            return 1;
        }

        /* Which field are we looking for */
        if (hdb_info->hash_type == TSK_HDB_HTYPE_SHA1_ID) {
            if (nsrl_parse_sha1(buf, &cur_hash, &name, ver)) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_getentry: Invalid entry in database: %s",
                         buf);
                return 1;
            }
        }
        else if (hdb_info->hash_type == TSK_HDB_HTYPE_MD5_ID) {
            if (nsrl_parse_md5(buf, &cur_hash, &name, ver)) {
                tsk_error_reset();
                tsk_errno = TSK_ERR_HDB_CORRUPT;
                snprintf(tsk_errstr, TSK_ERRSTR_L,
                         "nsrl_getentry: Invalid entry in database: %s",
                         buf);
                return 1;
            }
        }

        /* Verify that this is the hash we are looking for */
        if (0 != strcasecmp(cur_hash, hash)) {
            break;
        }

        /* Check if this is the same name as the previous entry */
        if (strcmp(name, pname) != 0) {
            int retval;
            retval = action(hdb_info, hash, name, cb_ptr);
            if (retval == TSK_WALK_STOP)
                return 0;
            else if (retval == TSK_WALK_ERROR)
                return 1;

            found = 1;
            strncpy(pname, name, TSK_HDB_MAXLEN);
        }

        /* Advance to the next row */
        offset += len;
    }

    if (found == 0) {
        tsk_error_reset();
        tsk_errno = TSK_ERR_HDB_ARG;
        snprintf(tsk_errstr, TSK_ERRSTR_L,
                 "nsrl_getentry: Hash not found in file at offset: %lu",
                 (unsigned long) offset);
        return 1;
    }

    return 0;
}