📄 tm_lookup.c
字号:
/* * The Sleuth Kit * * Brian Carrier [carrier <at> sleuthkit [dot] org] * Copyright (c) 2003-2008 Brian Carrier. All rights reserved * * * This software is distributed under the Common Public License 1.0 */#include "tsk_hashdb_i.h"/** * \file tm_lookup.c * Contains the generic hash database creation and lookup code. *//** * Setup the hash-type specific information (such as length, index entry * sizes, index name etc.) in the HDB_INFO structure. * * @param hdb_info Structure to fill in. * @param htype Hash type being used * @return 1 on error and 0 on success */static uint8_thdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype){ size_t flen; if (hdb_info->hash_type != 0) { return 0; } /* Make the name for the index file */ flen = TSTRLEN(hdb_info->db_fname) + 32; hdb_info->idx_fname = (TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR)); if (hdb_info->idx_fname == NULL) { return 1; } /* Get hash type specific information */ switch (htype) { case TSK_HDB_HTYPE_MD5_ID: hdb_info->hash_type = htype; hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN; hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype); TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%") PRIcTSK _TSK_T(".idx"), hdb_info->db_fname, TSK_HDB_HTYPE_MD5_STR); return 0; case TSK_HDB_HTYPE_SHA1_ID: hdb_info->hash_type = htype; hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN; hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype); TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%") PRIcTSK _TSK_T(".idx"), hdb_info->db_fname, TSK_HDB_HTYPE_SHA1_STR); return 0; } tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_setuphash: Invalid hash type as argument: %d", htype); return 1;}/** Initialize the TSK hash DB index file. This creates the intermediate file, * which will have entries added to it. This file must be sorted before the * process is finished. * * @param hdb_info Hash database state structure * @param htype String of index type to create * * @return 1 on error and 0 on success * */uint8_ttsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype){ size_t flen; char dbtmp[32]; int i; /* Use the string of the index/hash type to figure out some * settings */ // convert to char -- cheating way to deal with WCHARs.. for (i = 0; i < 31 && htype[i] != '\0'; i++) { dbtmp[i] = (char) htype[i]; } dbtmp[i] = '\0'; if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) { if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: database detected as: %d index creation as: %d", hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID); return 1; } hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID); } else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) { if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: database detected as: %d index creation as: %d", hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID); return 1; } hdb_setuphash(hdb_info, TSK_HDB_HTYPE_SHA1_ID); } else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) { if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: database detected as: %d index creation as: %d", hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID); return 1; } hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID); } else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) { if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: database detected as: %d index creation as: %d", hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID); return 1; } hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID); } else { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: Unknown database type request: %s", dbtmp); return 1; } /* Setup the internal hash information */ if (hdb_setuphash(hdb_info, hdb_info->hash_type)) { return 1; } /* Make the name for the unsorted intermediate index file */ flen = TSTRLEN(hdb_info->db_fname) + 32; hdb_info->uns_fname = (TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR)); if (hdb_info->uns_fname == NULL) { return 1; } TSNPRINTF(hdb_info->uns_fname, flen, _TSK_T("%s-%") PRIcTSK _TSK_T("-ns.idx"), hdb_info->db_fname, TSK_HDB_HTYPE_STR(hdb_info->hash_type)); /* Create temp unsorted file of offsets */#ifdef TSK_WIN32 { HANDLE hWin; if ((hWin = CreateFile(hdb_info->uns_fname, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0)) == INVALID_HANDLE_VALUE) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_CREATE; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: %"PRIttocTSK" GetFileSize: %d", hdb_info->uns_fname, (int)GetLastError()); return 1; } hdb_info->hIdxTmp = _fdopen(_open_osfhandle((intptr_t) hWin, _O_WRONLY), "wb"); if (hdb_info->hIdxTmp == NULL) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_idxinitialize: Error converting Windows handle to C handle"); free(hdb_info); return 1; } }#else if (NULL == (hdb_info->hIdxTmp = fopen(hdb_info->uns_fname, "w"))) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_CREATE; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error creating temp index file: %s", hdb_info->uns_fname); return 1; }#endif /* Print the header */ switch (hdb_info->db_type) { case TSK_HDB_DBTYPE_NSRL_ID: fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR, TSK_HDB_DBTYPE_NSRL_STR); break; case TSK_HDB_DBTYPE_MD5SUM_ID: fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR, TSK_HDB_DBTYPE_MD5SUM_STR); break; case TSK_HDB_DBTYPE_HK_ID: fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR, TSK_HDB_DBTYPE_HK_STR); break; /* Used to stop warning messages about missing enum value */ case TSK_HDB_DBTYPE_IDXONLY_ID: default: tsk_error_reset(); tsk_errno = TSK_ERR_HDB_CREATE; snprintf(tsk_errstr, TSK_ERRSTR_L, "idxinit: Invalid db type\n"); return 1; } return 0;}/** * Add an entry to the intermediate index file. * * @param hdb_info Hash database state info * @param hvalue Hash value to add * @param offset Byte offset of hash entry in original database. * @return 1 on error and 0 on success */uint8_ttsk_hdb_idxaddentry(TSK_HDB_INFO * hdb_info, char *hvalue, TSK_OFF_T offset){ int i; // make the hashes all upper case for (i = 0; hvalue[i] != '\0'; i++) { if (islower((int) hvalue[i])) fprintf(hdb_info->hIdxTmp, "%c", toupper((int) hvalue[i])); else fprintf(hdb_info->hIdxTmp, "%c", hvalue[i]); } /* Print the entry to the unsorted index file */ fprintf(hdb_info->hIdxTmp, "|%.16llu\n", (unsigned long long) offset); return 0;}/** * Finalize index creation process by sorting the index and removing the * intermediate temp file. * * @param hdb_info Hash database state info structure. * @return 1 on error and 0 on success */uint8_ttsk_hdb_idxfinalize(TSK_HDB_INFO * hdb_info){#ifdef TSK_WIN32 wchar_t buf[TSK_HDB_MAXLEN]; /// @@ Expand this to be SYSTEM_ROOT -- GetWindowsDirectory() wchar_t *sys32 = _TSK_T("C:\\WINDOWS\\System32\\sort.exe"); DWORD stat; STARTUPINFO myStartInfo; PROCESS_INFORMATION pinfo; /* Close the unsorted file */ fclose(hdb_info->hIdxTmp); hdb_info->hIdxTmp = NULL; /* Close the existing index if it is open */ if (hdb_info->hIdx) { fclose(hdb_info->hIdx); hdb_info->hIdx = NULL; } if (tsk_verbose) tsk_fprintf(stderr, "hdb_idxfinalize: Sorting index\n"); stat = GetFileAttributes(sys32); if ((stat != -1) && ((stat & FILE_ATTRIBUTE_DIRECTORY) == 0)) { TSNPRINTF(buf, TSK_HDB_MAXLEN, _TSK_T("%s /o \"%s\" \"%s\""), sys32, hdb_info->idx_fname, hdb_info->uns_fname); } else { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_MISSING; snprintf(tsk_errstr, TSK_ERRSTR_L, "Cannot find sort executable"); return 1; } GetStartupInfo(&myStartInfo); if (FALSE == CreateProcess(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL, &myStartInfo, &pinfo)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_PROC; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error starting sorting index file using %S", buf); return 1; } if (WAIT_FAILED == WaitForSingleObject(pinfo.hProcess, INFINITE)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_PROC; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error (waiting) sorting index file using %S", buf); return 1; } if (FALSE == DeleteFile(hdb_info->uns_fname)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_DELETE; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error deleting temp file: %d", (int)GetLastError()); return 1; }#else char buf[TSK_HDB_MAXLEN]; char *root = "/bin/sort"; char *usr = "/usr/bin/sort"; char *local = "/usr/local/bin/sort"; struct stat stats; if (tsk_verbose) tsk_fprintf(stderr, "hdb_idxfinalize: Sorting index\n"); /* Close the unsorted file */ fclose(hdb_info->hIdxTmp); hdb_info->hIdxTmp = NULL; /* Close the existing index if it is open */ if (hdb_info->hIdx) { fclose(hdb_info->hIdx); hdb_info->hIdx = NULL; } if (0 == stat(local, &stats)) { snprintf(buf, TSK_HDB_MAXLEN, "%s -o %s %s", local, hdb_info->idx_fname, hdb_info->uns_fname); } else if (0 == stat(usr, &stats)) { snprintf(buf, TSK_HDB_MAXLEN, "%s -o \"%s\" \"%s\"", usr, hdb_info->idx_fname, hdb_info->uns_fname); } else if (0 == stat(root, &stats)) { snprintf(buf, TSK_HDB_MAXLEN, "%s -o \"%s\" \"%s\"", root, hdb_info->idx_fname, hdb_info->uns_fname); } else { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_MISSING; snprintf(tsk_errstr, TSK_ERRSTR_L, "Cannot find sort executable"); return 1; } if (0 != system(buf)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_PROC; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error sorting index file using %s", buf); return 1; } unlink(hdb_info->uns_fname);#endif return 0;}/** \internal * Setup the internal variables to read an index. This * opens the index and sets the needed size information.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -