📄 tm_lookup.c
字号:
if (0 != fseeko(hdb_info->hIdx, tmpoff, SEEK_SET)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_READIDX; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_lookup: Error seeking for prev entries: %" PRIuOFF, tmpoff); return -1; } if (NULL == fgets(hdb_info->idx_lbuf, (int) hdb_info->idx_llen + 1, hdb_info->hIdx)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_READIDX; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error reading index file (prev): %lu", (unsigned long) tmpoff); return -1; } else if (strlen(hdb_info->idx_lbuf) < hdb_info->idx_llen) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_CORRUPT; snprintf(tsk_errstr, TSK_ERRSTR_L, "Invalid index file line (prev): %lu", (unsigned long) tmpoff); return -1; } hdb_info->idx_lbuf[hdb_info->hash_len] = '\0'; if (strcasecmp(hdb_info->idx_lbuf, hash) != 0) { break; }#ifdef TSK_WIN32 db_off = _atoi64(&hdb_info-> idx_lbuf[hdb_info->hash_len + 1]);#else db_off = strtoull(&hdb_info-> idx_lbuf[hdb_info->hash_len + 1], NULL, 10);#endif if (hdb_info-> getentry(hdb_info, hash, db_off, flags, action, ptr)) { return -1; } tmpoff -= hdb_info->idx_llen; } /* next entries */ tmpoff = offset + hdb_info->idx_llen; while (tmpoff < up) { if (0 != fseeko(hdb_info->hIdx, tmpoff, SEEK_SET)) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_READIDX; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_lookup: Error seeking for next entries: %" PRIuOFF, tmpoff); return -1; } if (NULL == fgets(hdb_info->idx_lbuf, (int) hdb_info->idx_llen + 1, hdb_info->hIdx)) { if (feof(hdb_info->hIdx)) break; tsk_error_reset(); tsk_errno = TSK_ERR_HDB_READIDX; snprintf(tsk_errstr, TSK_ERRSTR_L, "Error reading index file (next): %lu", (unsigned long) tmpoff); return -1; } else if (strlen(hdb_info->idx_lbuf) < hdb_info->idx_llen) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_CORRUPT; snprintf(tsk_errstr, TSK_ERRSTR_L, "Invalid index file line (next): %lu", (unsigned long) tmpoff); return -1; } hdb_info->idx_lbuf[hdb_info->hash_len] = '\0'; if (strcasecmp(hdb_info->idx_lbuf, hash) != 0) { break; }#ifdef TSK_WIN32 db_off = _atoi64(&hdb_info-> idx_lbuf[hdb_info->hash_len + 1]);#else db_off = strtoull(&hdb_info-> idx_lbuf[hdb_info->hash_len + 1], NULL, 10);#endif if (hdb_info-> getentry(hdb_info, hash, db_off, flags, action, ptr)) { return -1; } tmpoff += hdb_info->idx_llen; } } break; } poffset = offset; } return wasFound;}/** * \ingroup hashdblib * Search the index for the given hash value given (in binary form). * * @param hdb_info Open hash database (with index) * @param hash Array with binary hash value to search for * @param len Number of bytes in binary hash value * @param flags Flags to use in lookup * @param action Callback function to call for each hash db entry * (not called if QUICK flag is given) * @param ptr Pointer to data to pass to each callback * * @return -1 on error, 0 if hash value not found, and 1 if value was found. */int8_ttsk_hdb_lookup_raw(TSK_HDB_INFO * hdb_info, uint8_t * hash, uint8_t len, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr){ char hashbuf[TSK_HDB_HTYPE_SHA1_LEN + 1]; int i; static char hex[] = "0123456789abcdef"; if (2 * len > TSK_HDB_HTYPE_SHA1_LEN) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_hdb_lookup_raw: hash value too long\n"); return -1; } for (i = 0; i < len; i++) { hashbuf[2 * i] = hex[(hash[i] >> 4) & 0xf]; hashbuf[2 * i + 1] = hex[hash[i] & 0xf]; } hashbuf[2 * len] = '\0'; return tsk_hdb_lookup_str(hdb_info, hashbuf, flags, action, ptr);}/** * \ingroup hashdblib * Determine if the open hash database has an index. * * @param hdb_info Hash database to consider * @param htype Hash type that index should be of * * @return 1 if index exists and 0 if not */uint8_ttsk_hdb_hasindex(TSK_HDB_INFO * hdb_info, uint8_t htype){ /* Check if the index is already open, and * try to open it if not */ if (hdb_info->idx_size == 0) { if (hdb_setupindex(hdb_info, htype)) return 0; else return 1; } return 1;}/** * \ingroup hashdblib * Open a hash database. * * @param db_file Path to database. * @param flags Flags for opening the database. * * @return Poiner to hash database state structure or NULL on error */TSK_HDB_INFO *tsk_hdb_open(TSK_TCHAR * db_file, TSK_HDB_OPEN_ENUM flags){ TSK_HDB_INFO *hdb_info; size_t flen; FILE *hDb; uint8_t dbtype = 0; if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) { /* Open the database file */#ifdef TSK_WIN32 { HANDLE hWin; if ((hWin = CreateFile(db_file, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) == INVALID_HANDLE_VALUE) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error opening database file: %S", db_file); return NULL; } hDb = _fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r"); if (hDb == NULL) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error converting Windows handle to C handle"); return NULL; } }#else if (NULL == (hDb = fopen(db_file, "r"))) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_OPEN; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error opening database file: %s", db_file); return NULL; }#endif /* Try to figure out what type of DB it is */ if (nsrl_test(hDb)) { dbtype = TSK_HDB_DBTYPE_NSRL_ID; } if (md5sum_test(hDb)) { if (dbtype != 0) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_UNKTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error determining DB type (MD5sum)"); return NULL; } dbtype = TSK_HDB_DBTYPE_MD5SUM_ID; } if (hk_test(hDb)) { if (dbtype != 0) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_UNKTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error determining DB type (HK)"); return NULL; } dbtype = TSK_HDB_DBTYPE_HK_ID; } if (dbtype == 0) { tsk_error_reset(); tsk_errno = TSK_ERR_HDB_UNKTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_open: Error determining DB type"); return NULL; } fseeko(hDb, 0, SEEK_SET); } else { dbtype = TSK_HDB_DBTYPE_IDXONLY_ID; hDb = NULL; } if ((hdb_info = (TSK_HDB_INFO *) tsk_malloc(sizeof(TSK_HDB_INFO))) == NULL) return NULL; hdb_info->hDb = hDb; /* Get database specific information */ hdb_info->db_type = dbtype; switch (dbtype) { case TSK_HDB_DBTYPE_NSRL_ID: hdb_info->getentry = nsrl_getentry; hdb_info->makeindex = nsrl_makeindex; break; case TSK_HDB_DBTYPE_MD5SUM_ID: hdb_info->getentry = md5sum_getentry; hdb_info->makeindex = md5sum_makeindex; break; case TSK_HDB_DBTYPE_HK_ID: hdb_info->getentry = hk_getentry; hdb_info->makeindex = hk_makeindex; break; case TSK_HDB_DBTYPE_IDXONLY_ID: hdb_info->getentry = idxonly_getentry; hdb_info->makeindex = idxonly_makeindex; break; default: return NULL; } hdb_info->hash_type = 0; hdb_info->hash_len = 0; hdb_info->idx_fname = NULL; hdb_info->uns_fname = NULL; hdb_info->hIdxTmp = NULL; hdb_info->hIdx = NULL; hdb_info->idx_size = 0; hdb_info->idx_off = 0; hdb_info->idx_lbuf = NULL; /* Copy the database name into the structure */ flen = TSTRLEN(db_file) + 8; // + 32; hdb_info->db_fname = (TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR)); if (hdb_info->db_fname == NULL) { free(hdb_info); return NULL; } TSTRNCPY(hdb_info->db_fname, db_file, flen); return hdb_info;}/** * \ingroup hashdblib * Close an open hash database. * * @param hdb_info database to close */voidtsk_hdb_close(TSK_HDB_INFO * hdb_info){ if (hdb_info->hIdx) fclose(hdb_info->hIdx); if (hdb_info->hIdxTmp) fclose(hdb_info->hIdxTmp); // @@@ Could delete temp file too... if (hdb_info->idx_lbuf != NULL) free(hdb_info->idx_lbuf); if (hdb_info->db_fname) free(hdb_info->db_fname); if (hdb_info->uns_fname) free(hdb_info->uns_fname); if (hdb_info->idx_fname) free(hdb_info->idx_fname); if (hdb_info->hDb) fclose(hdb_info->hDb); free(hdb_info);}/** * \ingroup hashdblib * Create an index for an open hash database. * @param a_hdb_info Open hash database to index * @param a_type Text of hash database type * @returns 1 on error */uint8_ttsk_hdb_makeindex(TSK_HDB_INFO * a_hdb_info, TSK_TCHAR * a_type){ return a_hdb_info->makeindex(a_hdb_info, a_type);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -