ifind_lib.c

linux下开发的针对所有磁盘的数据恢复的源码

                    tsk_fprintf(stderr,
                        "Found it (%s), now looking for %s\n", pname,
                        cur_dir);


                /* That was the last name in the path -- we found the file! */
                if (cur_dir == NULL) {
                    *a_result = fs_file->name->meta_addr;

                    // make a copy if one was requested
                    if (a_fs_name) {
                        tsk_fs_name_copy(a_fs_name, fs_file->name);
                    }

                    free(cpath);
                    return 0;
                }

                // update the attribute field, if needed
                if (TSK_FS_TYPE_ISNTFS(a_fs->ftype)
                    && ((cur_attr = strchr(cur_dir, ':')) != NULL)) {
                    *(cur_attr) = '\0';
                    cur_attr++;
                }

                /* Before we recurse into this directory, check it */
                if (fs_file->meta == NULL) {
                    free(cpath);
                    if (tsk_verbose)
                        tsk_fprintf(stderr,
                            "Name does not point to an inode (%s)\n",
                            fs_file->name->name);
                    return 1;
                }

                /* Make sure this name is for a directory */
                else if (fs_file->meta->type != TSK_FS_META_TYPE_DIR) {
                    free(cpath);
                    if (tsk_verbose)
                        tsk_fprintf(stderr,
                            "Name is not for a directory (%s) (type: %x)\n",
                            fs_file->name->name, fs_file->meta->type);
                    return 1;
                }

                next_meta = fs_file->name->meta_addr;
            }

            tsk_fs_file_close(fs_file);
            fs_file = NULL;

            if (found_name)
                break;
        }

        tsk_fs_dir_close(fs_dir);
        fs_dir = NULL;

        // didn't find the name in this directory...
        if (found_name == 0) {
            free(cpath);
            return 1;
        }
    }

    free(cpath);
    return 1;
}


/**
 * Find the meta data address for a given file TCHAR name
 *
 * @param fs FS to analyze
 * @param tpath Path of file to search for
 * @param [out] result Meta data address of file
 * @returns -1 on error, 0 if found, and 1 if not found
 */
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result)
{

#ifdef TSK_WIN32
    // Convert the UTF-16 path to UTF-8
    {
        size_t clen;
        UTF8 *ptr8;
        UTF16 *ptr16;
        int retval;
        char *cpath;

        clen = TSTRLEN(tpath) * 4;
        if ((cpath = (char *) tsk_malloc(clen)) == NULL) {
            return -1;
        }
        ptr8 = (UTF8 *) cpath;
        ptr16 = (UTF16 *) tpath;

        retval =
            tsk_UTF16toUTF8(fs->endian, (const UTF16 **) &ptr16, (UTF16 *)
            & ptr16[TSTRLEN(tpath) + 1], &ptr8,
            (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
        if (retval != TSKconversionOK) {
            tsk_error_reset();
            tsk_errno = TSK_ERR_FS_UNICODE;
            snprintf(tsk_errstr, TSK_ERRSTR_L,
                "tsk_fs_ifind_path: Error converting path to UTF-8: %d",
                retval);
            free(cpath);
            return -1;
        }
        return tsk_fs_path2inum(fs, cpath, result, NULL);
    }
#else
    return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL);
#endif
}






/*******************************************************************************
 * Find an inode given a data unit
 */

typedef struct {
    TSK_DADDR_T block;          /* the block to find */
    TSK_FS_IFIND_FLAG_ENUM flags;
    uint8_t found;

    TSK_INUM_T curinode;        /* the inode being analyzed */
    uint32_t curtype;           /* the type currently being analyzed: NTFS */
    uint16_t curid;
} IFIND_DATA_DATA;


/*
 * file_walk action for non-ntfs
 */
static TSK_WALK_RET_ENUM
ifind_data_file_act(TSK_FS_FILE * fs_file, TSK_OFF_T a_off,
    TSK_DADDR_T addr, char *buf, size_t size, TSK_FS_BLOCK_FLAG_ENUM flags,
    void *ptr)
{
    TSK_FS_INFO *fs = fs_file->fs_info;
    IFIND_DATA_DATA *data = (IFIND_DATA_DATA *) ptr;

    /* Drop references to block zero (sparse)
     * This becomes an issue with fragments and looking for fragments
     * within the first block.  They will be triggered by sparse 
     * entries, even though the first block can not be allocated
     */
    if (!addr)
        return TSK_WALK_CONT;

    if ((data->block >= addr) &&
        (data->block <
            (addr + (size + fs->block_size - 1) / fs->block_size))) {
        tsk_printf("%" PRIuINUM "\n", data->curinode);
        data->found = 1;

        if (!(data->flags & TSK_FS_IFIND_ALL))
            return TSK_WALK_STOP;

    }
    return TSK_WALK_CONT;
}


/* 
 * file_walk action callback for ntfs  
 *
 */
static TSK_WALK_RET_ENUM
ifind_data_file_ntfs_act(TSK_FS_FILE * fs_file, TSK_OFF_T a_off,
    TSK_DADDR_T addr, char *buf, size_t size, TSK_FS_BLOCK_FLAG_ENUM flags,
    void *ptr)
{
    IFIND_DATA_DATA *data = (IFIND_DATA_DATA *) ptr;

    if (addr == data->block) {
        tsk_printf("%" PRIuINUM "-%" PRIu32 "-%" PRIu16 "\n",
            data->curinode, data->curtype, data->curid);
        data->found = 1;

        if (!(data->flags & TSK_FS_IFIND_ALL)) {
            return TSK_WALK_STOP;
        }
    }
    return TSK_WALK_CONT;
}



/*
** find_inode
**
** Callback action for inode_walk
*/
static TSK_WALK_RET_ENUM
ifind_data_act(TSK_FS_FILE * fs_file, void *ptr)
{
    IFIND_DATA_DATA *data = (IFIND_DATA_DATA *) ptr;
    int file_flags = (TSK_FS_FILE_WALK_FLAG_AONLY);

    data->curinode = fs_file->meta->addr;

    /* NT Specific Stuff: search all ADS */
    if (TSK_FS_TYPE_ISNTFS(fs_file->fs_info->ftype)) {
        int i, cnt;

        file_flags |= TSK_FS_FILE_WALK_FLAG_SLACK;
        cnt = tsk_fs_file_attr_getsize(fs_file);
        for (i = 0; i < cnt; i++) {
            const TSK_FS_ATTR *fs_attr =
                tsk_fs_file_attr_get_idx(fs_file, i);
            if (!fs_attr)
                continue;

            data->curtype = fs_attr->type;
            data->curid = fs_attr->id;
            if (fs_attr->flags & TSK_FS_ATTR_NONRES) {
                if (tsk_fs_file_walk_type(fs_file, fs_attr->type,
                        fs_attr->id, file_flags, ifind_data_file_ntfs_act,
                        ptr)) {
                    if (tsk_verbose)
                        tsk_fprintf(stderr,
                            "Error walking file %" PRIuINUM,
                            fs_file->meta->addr);

                    /* Ignore these errors */
                    tsk_error_reset();
                }
            }
        }
        return TSK_WALK_CONT;
    }
    else if (TSK_FS_TYPE_ISFAT(fs_file->fs_info->ftype)) {
        file_flags |= (TSK_FS_FILE_WALK_FLAG_SLACK);
        if (tsk_fs_file_walk(fs_file, file_flags,
                ifind_data_file_act, ptr)) {
            if (tsk_verbose)
                tsk_fprintf(stderr, "Error walking file %" PRIuINUM,
                    fs_file->meta->addr);

            /* Ignore these errors */
            tsk_error_reset();
        }
    }
    /* UNIX do not need the SLACK flag because they use fragments - if the
     * SLACK flag exists then any unused fragments in a block will be 
     * correlated with the incorrect inode
     */
    else {
        // @@@ Need to add handling back in here to find indirect blocks (once a soln is found)
        if (tsk_fs_file_walk(fs_file, file_flags,
                ifind_data_file_act, ptr)) {
            if (tsk_verbose)
                tsk_fprintf(stderr, "Error walking file %" PRIuINUM,
                    fs_file->meta->addr);

            /* Ignore these errors */
            tsk_error_reset();
        }
    }

    return TSK_WALK_CONT;
}




/* 
 * Find the inode that has allocated block blk
 * Return 1 on error, 0 if no error */
uint8_t
tsk_fs_ifind_data(TSK_FS_INFO * fs, TSK_FS_IFIND_FLAG_ENUM lclflags,
    TSK_DADDR_T blk)
{
    IFIND_DATA_DATA data;

    memset(&data, 0, sizeof(IFIND_DATA_DATA));
    data.flags = lclflags;
    data.block = blk;

    if (fs->inode_walk(fs, fs->first_inum, fs->last_inum,
            TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC,
            ifind_data_act, &data)) {
        return 1;
    }

    /* 
     * If we did not find an inode yet, we call block_walk for the 
     * block to find out the associated flags so we can identify it as
     * a meta data block */
    if (!data.found) {
        TSK_FS_BLOCK *fs_block;

        if ((fs_block = tsk_fs_block_get(fs, NULL, blk)) != NULL) {

            if (fs_block->flags & TSK_FS_BLOCK_FLAG_META) {
                tsk_printf("Meta Data\n");
                data.found = 1;
            }
            tsk_fs_block_free(fs_block);
        }
    }
    if (!data.found) {
        tsk_printf("Inode not found\n");
    }
    return 0;
}