📄 ffs.c
字号:
for (j = 0; j < 4 && count < fs_meta->size; j++) fs_meta->link[count++] = ptr[j]; } fs_meta->link[count] = '\0'; /* clear the values to avoid other code from reading them */ memset(fs_meta->content_ptr, 0, fs_meta->content_len); } /* it is in blocks (the regular way) */ else { char *buf; char *ptr = fs_meta->link; if ((buf = (char *) tsk_malloc(fs->block_size)) == NULL) { return 1; } /* there is a max link length of 1000, so we should never * need the indirect blocks */ for (i = 0; i < FFS_NDADDR && count < fs_meta->size; i++) { ssize_t cnt; TSK_DADDR_T *addr_ptr = (TSK_DADDR_T *) fs_meta->content_ptr; /* Do we need the entire block, or just part of it? */ int read_count = (fs_meta->size - count < fs->block_size) ? (int) fs_meta->size - count : fs->block_size; cnt = tsk_fs_read_block(fs, addr_ptr[i], buf, fs->block_size); if (cnt != fs->block_size) { if (cnt >= 0) { tsk_error_reset(); tsk_errno = TSK_ERR_FS_READ; } snprintf(tsk_errstr2, TSK_ERRSTR_L, "ffs_dinode_copy: FFS1A symlink dest at %" PRIuDADDR, addr_ptr[i]); free(buf); return 1; } memcpy(ptr, buf, read_count); count += read_count; ptr = (char *) ((uintptr_t) ptr + read_count); } /* terminate the string */ *ptr = '\0'; /* Clean up name */ i = 0; while (fs_meta->link[i] != '\0') { if (TSK_IS_CNTRL(fs_meta->link[i])) fs_meta->link[i] = '^'; i++; } free(buf); } } /* end of symlink */ } /* TSK_FS_TYPE_FFS1B - Solaris */ else if (fs->ftype == TSK_FS_TYPE_FFS1B) { ffs_inode1b *in = (ffs_inode1b *) ffs->dino_buf; TSK_DADDR_T *addr_ptr; fs_meta->mode = ffsmode2tskmode(tsk_getu16(fs->endian, in->di_mode)); fs_meta->type = ffsmode2tsktype(tsk_getu16(fs->endian, in->di_mode)); fs_meta->nlink = tsk_gets16(fs->endian, in->di_nlink); fs_meta->size = tsk_getu64(fs->endian, in->di_size); fs_meta->uid = tsk_getu32(fs->endian, in->di_uid); fs_meta->gid = tsk_getu32(fs->endian, in->di_gid); fs_meta->mtime = tsk_gets32(fs->endian, in->di_mtime); fs_meta->atime = tsk_gets32(fs->endian, in->di_atime); fs_meta->ctime = tsk_gets32(fs->endian, in->di_ctime); fs_meta->crtime = 0; if (fs_meta->content_len < FFS_FILE_CONTENT_LEN) { if ((fs_meta = tsk_fs_meta_realloc(fs_meta, FFS_FILE_CONTENT_LEN)) == NULL) { return 1; } } addr_ptr = (TSK_DADDR_T *) fs_meta->content_ptr; for (i = 0; i < FFS_NDADDR; i++) addr_ptr[i] = tsk_gets32(fs->endian, in->di_db[i]); for (i = 0; i < FFS_NIADDR; i++) addr_ptr[FFS_NDADDR + i] = tsk_gets32(fs->endian, in->di_ib[i]); if ((fs_meta->type == TSK_FS_META_TYPE_LNK) && (fs_meta->size < FFS_MAXPATHLEN) && (fs_meta->size >= 0)) { count = 0; /* index into the link array */ /* it is located directly in the pointers */ if (fs_meta->size < 4 * (FFS_NDADDR + FFS_NIADDR)) { char *ptr; /* Direct block pointer locations */ for (i = 0; i < FFS_NDADDR && count < fs_meta->size; i++) { ptr = (char *) &in->di_db[i]; for (j = 0; j < 4 && count < fs_meta->size; j++) fs_meta->link[count++] = ptr[j]; } /* indirect block pointers */ for (i = 0; i < FFS_NIADDR && count < fs_meta->size; i++) { ptr = (char *) &in->di_ib[i]; for (j = 0; j < 4 && count < fs_meta->size; j++) fs_meta->link[count++] = ptr[j]; } fs_meta->link[count] = '\0'; /* clear the values to avoid other code from reading them */ memset(fs_meta->content_ptr, 0, fs_meta->content_len); } /* it is in blocks (the regular way) */ else { char *buf; char *ptr; if ((buf = (char *) tsk_malloc(fs->block_size)) == NULL) return 1; fs_meta->link = ptr = tsk_malloc((size_t) fs_meta->size + 1); if (fs_meta->link == NULL) { free(buf); return 1; } /* there is a max link length of 1000, so we should never * need the indirect blocks */ for (i = 0; i < FFS_NDADDR && count < fs_meta->size; i++) { ssize_t cnt; TSK_DADDR_T *addr_ptr = (TSK_DADDR_T *) fs_meta->content_ptr; /* Do we need the entire block, or just part of it? */ int read_count = (fs_meta->size - count < fs->block_size) ? (int) fs_meta->size - count : fs->block_size; cnt = tsk_fs_read_block(fs, addr_ptr[i], buf, fs->block_size); if (cnt != fs->block_size) { if (cnt >= 0) { tsk_error_reset(); tsk_errno = TSK_ERR_FS_READ; } snprintf(tsk_errstr2, TSK_ERRSTR_L, "ffs_dinode_copy: FFS1B symlink dest at %" PRIuDADDR, addr_ptr[i]); free(buf); return 1; } memcpy(ptr, buf, read_count); count += read_count; ptr = (char *) ((uintptr_t) ptr + read_count); } /* terminate the string */ *ptr = '\0'; free(buf); } } } else if (fs->ftype == TSK_FS_TYPE_FFS2) { ffs_inode2 *in = (ffs_inode2 *) ffs->dino_buf; TSK_DADDR_T *addr_ptr; fs_meta->mode = ffsmode2tskmode(tsk_getu16(fs->endian, in->di_mode)); fs_meta->type = ffsmode2tsktype(tsk_getu16(fs->endian, in->di_mode)); fs_meta->nlink = tsk_gets16(fs->endian, in->di_nlink); fs_meta->size = tsk_getu64(fs->endian, in->di_size); fs_meta->uid = tsk_getu32(fs->endian, in->di_uid); fs_meta->gid = tsk_getu32(fs->endian, in->di_gid); fs_meta->mtime = (time_t) tsk_gets64(fs->endian, in->di_mtime); fs_meta->atime = (time_t) tsk_gets64(fs->endian, in->di_atime); fs_meta->ctime = (time_t) tsk_gets64(fs->endian, in->di_ctime); fs_meta->crtime = 0; if (fs_meta->content_len < FFS_FILE_CONTENT_LEN) { if ((fs_meta = tsk_fs_meta_realloc(fs_meta, FFS_FILE_CONTENT_LEN)) == NULL) { return 1; } } addr_ptr = (TSK_DADDR_T *) fs_meta->content_ptr; for (i = 0; i < FFS_NDADDR; i++) addr_ptr[i] = tsk_gets64(fs->endian, in->di_db[i]); for (i = 0; i < FFS_NIADDR; i++) addr_ptr[FFS_NDADDR + i] = tsk_gets64(fs->endian, in->di_ib[i]); /* set the link string (if the file is a link) * The size check is a sanity check so that we don't try and allocate * a huge amount of memory for a bad inode value */ if ((fs_meta->type == TSK_FS_META_TYPE_LNK) && (fs_meta->size < FFS_MAXPATHLEN) && (fs_meta->size >= 0)) { fs_meta->link = tsk_malloc((size_t) fs_meta->size + 1); if (fs_meta->link == NULL) { return 1; } count = 0; /* index into the link array */ /* it is located directly in the pointers * Only the new style inode has this "fast link" */ if (fs_meta->size < 8 * (FFS_NDADDR + FFS_NIADDR)) { char *ptr; /* Direct block pointer locations */ for (i = 0; i < FFS_NDADDR && count < fs_meta->size; i++) { ptr = (char *) &in->di_db[i]; for (j = 0; j < 8 && count < fs_meta->size; j++) fs_meta->link[count++] = ptr[j]; } /* indirect block pointers */ for (i = 0; i < FFS_NIADDR && count < fs_meta->size; i++) { ptr = (char *) &in->di_ib[i]; for (j = 0; j < 8 && count < fs_meta->size; j++) fs_meta->link[count++] = ptr[j]; } fs_meta->link[count] = '\0'; /* clear the values to avoid other code from reading them */ memset(fs_meta->content_ptr, 0, fs_meta->content_len); } /* it is in blocks (the regular way) */ else { char *buf; char *ptr = fs_meta->link; if ((buf = (char *) tsk_malloc(fs->block_size)) == NULL) { return 1; } /* there is a max link length of 1000, so we should never * need the indirect blocks */ for (i = 0; i < FFS_NDADDR && count < fs_meta->size; i++) { ssize_t cnt; TSK_DADDR_T *addr_ptr = fs_meta->content_ptr; /* Do we need the entire block, or just part of it? */ int read_count = (fs_meta->size - count < fs->block_size) ? (int) fs_meta->size - count : fs->block_size; cnt = tsk_fs_read_block(fs, addr_ptr[i], buf, fs->block_size); if (cnt != fs->block_size) { if (cnt >= 0) { tsk_error_reset(); tsk_errno = TSK_ERR_FS_READ; } snprintf(tsk_errstr2, TSK_ERRSTR_L, "ffs_dinode_copy: FFS2 symlink dest at %" PRIuDADDR, addr_ptr[i]); free(buf); return 1; } memcpy(ptr, buf, read_count); count += read_count; ptr = (char *) ((uintptr_t) ptr + read_count); } /* terminate the string */ *ptr = '\0'; free(buf); } } /* end of symlink */ } else { tsk_error_reset(); tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "ffs_dinode_copy: Unknown FFS Type"); return 1; } /* set the flags */ grp_num = (FFS_GRPNUM_T) itog_lcl(fs, ffs->fs.sb1, ffs->dino_inum); if ((ffs->grp_buf == NULL) || (grp_num != ffs->grp_num)) { if (ffs_group_load(ffs, grp_num)) return 1; } cg = (ffs_cgd *) ffs->grp_buf; inosused = (unsigned char *) cg_inosused_lcl(fs, cg); ibase = grp_num * tsk_gets32(fs->endian, ffs->fs.sb1->cg_inode_num); /* get the alloc flag */ fs_meta->flags = (isset(inosused, ffs->dino_inum - ibase) ? TSK_FS_META_FLAG_ALLOC : TSK_FS_META_FLAG_UNALLOC); /* used/unused */ fs_meta->flags |= (fs_meta->ctime ? TSK_FS_META_FLAG_USED : TSK_FS_META_FLAG_UNUSED); return 0;}/* ffs_inode_lookup - lookup inode, external interface * * Return 1 on error * * */static uint8_tffs_inode_lookup(TSK_FS_INFO * fs, TSK_FS_FILE * a_fs_file, TSK_INUM_T inum){ FFS_INFO *ffs = (FFS_INFO *) fs; if (a_fs_file == NULL) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "ffs_inode_lookup: fs_file is NULL"); return 1; } /* copy it to the TSK_FS_META structure */ if (a_fs_file->meta == NULL) { a_fs_file->meta = tsk_fs_meta_alloc(FFS_FILE_CONTENT_LEN); if (a_fs_file->meta == NULL) return 1; } else { tsk_fs_meta_reset(a_fs_file->meta); } // see if they are looking for the special "orphans" directory if (inum == TSK_FS_ORPHANDIR_INUM(fs)) { if (tsk_fs_dir_make_orphan_dir_meta(fs, a_fs_file->meta)) return 1; else return 0; } /* Lookup the inode and store it in ffs */ if (ffs_dinode_load(ffs, inum)) return 1; if (ffs_dinode_copy(ffs, a_fs_file->meta)) return 1; return 0;}/**************************************************************************⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -