📄 fs_file.c
字号:
/* * fs_file * The Sleuth Kit * * Brian Carrier [carrier <at> sleuthkit [dot] org] * Copyright (c) 2008 Brian Carrier. All Rights reserved * * This software is distributed under the Common Public License 1.0 * *//*** \file fs_file.c * Create, manage, etc. the TSK_FS_FILE structures. */#include "tsk_fs_i.h"/** * \internal * Allocate a new FS_FILE structure * @param a_fs File system fiel will be in. * @returns NULL on error */TSK_FS_FILE *tsk_fs_file_alloc(TSK_FS_INFO * a_fs){ TSK_FS_FILE *fs_file; fs_file = (TSK_FS_FILE *) tsk_malloc(sizeof(TSK_FS_FILE)); if (fs_file == NULL) return NULL; fs_file->fs_info = a_fs; fs_file->tag = TSK_FS_FILE_TAG; return fs_file;}/** \internal * * Reset the meta and name structures. * @param a_fs_file File to reset */voidtsk_fs_file_reset(TSK_FS_FILE * a_fs_file){ if (a_fs_file->meta) tsk_fs_meta_reset(a_fs_file->meta); if (a_fs_file->name) tsk_fs_name_reset(a_fs_file->name);}/** * \ingroup fslib * Close an open file. * @param a_fs_file Pointer to open file */voidtsk_fs_file_close(TSK_FS_FILE * a_fs_file){ if (a_fs_file->tag != TSK_FS_FILE_TAG) return; a_fs_file->tag = 0; if (a_fs_file->meta) { tsk_fs_meta_close(a_fs_file->meta); a_fs_file->meta = NULL; } if (a_fs_file->name) { tsk_fs_name_free(a_fs_file->name); a_fs_file->name = NULL; } free(a_fs_file);}/** * \ingroup fslib** Open a file given its metadata address. This function loads the metadata* and returns a handle that can be used to read and process the file. Note* that the returned TSK_FS_FILE structure will not have the file name set because* it was not used to load the file and this function does not search the * directory structure to find the name that points to the address. In general,* if you know the metadata address of a file, this function is more effecient * then tsk_fs_file_open, which first maps a file name to the metadata address * and then opens the file using this function. ** @param a_fs File system to analyze* @param a_fs_file Structure to store file data in or NULL to have one allocated. * @param a_addr Metadata address of file to lookup* @returns NULL on error*/TSK_FS_FILE *tsk_fs_file_open_meta(TSK_FS_INFO * a_fs, TSK_FS_FILE * a_fs_file, TSK_INUM_T a_addr){ TSK_FS_FILE *fs_file; if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_open_meta: called with NULL or unallocated structures"); return NULL; } fs_file = a_fs_file; if (fs_file == NULL) { if ((fs_file = tsk_fs_file_alloc(a_fs)) == NULL) return NULL; } else { /* if the structure passed has a name structure, free it * because we won't use it. */ if (fs_file->name) { tsk_fs_name_free(fs_file->name); fs_file->name = NULL; } // reset the rest of it tsk_fs_file_reset(fs_file); } if (a_fs->file_add_meta(a_fs, fs_file, a_addr)) { if (a_fs_file == NULL) free(fs_file); return NULL; } return fs_file;}/** * \ingroup fslib* Return the handle structure for a specific file, given its full path. Note that* if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a* more effecient approach. ** @param a_fs File system to analyze* @param a_fs_file Structure to store file data in or NULL to have one allocated. * @param a_path Path of file to open* @returns NULL on error*/TSK_FS_FILE *tsk_fs_file_open(TSK_FS_INFO * a_fs, TSK_FS_FILE * a_fs_file, const char *a_path){ TSK_INUM_T inum; int8_t retval; TSK_FS_FILE *fs_file; TSK_FS_NAME *fs_name; if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_open: called with NULL or unallocated structures"); return NULL; } // allocate a structure to store the name in if ((fs_name = tsk_fs_name_alloc(128, 32)) == NULL) { return NULL; } retval = tsk_fs_path2inum(a_fs, a_path, &inum, fs_name); if (retval == -1) { return NULL; } else if (retval == 1) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_open: path not found: %s", a_path); return NULL; } fs_file = tsk_fs_file_open_meta(a_fs, a_fs_file, inum); if (fs_file) { // Add the name to the structure fs_file->name = fs_name; } return fs_file;}/** \internal * Check the arguments for the tsk_fs_file_attr_XXX functions * and load the attributes if needed. * @param a_fs_file File argument to check. * @param a_func Name of function that this is checking for (for error messages) * @returns 1 on error */static inttsk_fs_file_attr_check(TSK_FS_FILE * a_fs_file, char *a_func){ TSK_FS_INFO *fs; // check the FS_INFO, FS_FILE structures if ((a_fs_file == NULL) || (a_fs_file->meta == NULL) || (a_fs_file->fs_info == NULL)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "%s: called with NULL pointers", a_func); return 1; } else if (a_fs_file->meta->tag != TSK_FS_META_TAG) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "%s: called with unallocated structures", a_func); return 1; } fs = a_fs_file->fs_info; // If the attributes haven't been loaded, then load them. if (a_fs_file->meta->attr_state == TSK_FS_META_ATTR_ERROR) { tsk_errno = TSK_ERR_FS_INODE_COR; snprintf(tsk_errstr, TSK_ERRSTR_L, "%s: called for file with corrupt data", a_func); return 1; } else if ((a_fs_file->meta->attr_state != TSK_FS_META_ATTR_STUDIED) || (a_fs_file->meta->attr == NULL)) { if (fs->load_attrs(a_fs_file)) { return 1; } } return 0;}/** \ingroup fslib * Return the number of attributes in the file. * * @param a_fs_file File to return attribute count for * @returns number of attributes in file */inttsk_fs_file_attr_getsize(TSK_FS_FILE * a_fs_file){ if (tsk_fs_file_attr_check(a_fs_file, "tsk_fs_file_attr_getsize")) return 0; return tsk_fs_attrlist_get_len(a_fs_file->meta->attr);}/** \ingroup fslib * Get a file's attribute based on the 0-based index in the list (and not type, id pair). * @param a_fs_file File to get attributes from. * @param a_idx 0-based index of attribute to return. * @returns Pointer to attribute or NULL on error */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -