📄 fs_file.c
字号:
const TSK_FS_ATTR *tsk_fs_file_attr_get_idx(TSK_FS_FILE * a_fs_file, int a_idx){ if (tsk_fs_file_attr_check(a_fs_file, "tsk_fs_file_attr_get_idx")) return NULL; return tsk_fs_attrlist_get_idx(a_fs_file->meta->attr, a_idx);}/** \ingroup fslib* Return the default attribute for the file* @param a_fs_file File to get data from* @returns NULL on error*/const TSK_FS_ATTR *tsk_fs_file_attr_get(TSK_FS_FILE * a_fs_file){ TSK_FS_ATTR_TYPE_ENUM type; TSK_FS_INFO *fs; if (tsk_fs_file_attr_check(a_fs_file, "tsk_fs_file_attr_get")) return NULL; // since they did not give us a type, get the default for the file fs = a_fs_file->fs_info; type = fs->get_default_attr_type(a_fs_file); return tsk_fs_attrlist_get(a_fs_file->meta->attr, type);}/** \ingroup fslib* Return a specific type and id attribute for the file. * @param a_fs_file File to get data from* @param a_type Type of attribute to load* @param a_id Id of attribute to load * @param a_id_used Set to 1 if ID is actually set or 0 to use default* @returns NULL on error*/const TSK_FS_ATTR *tsk_fs_file_attr_get_type(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, uint8_t a_id_used){ if (tsk_fs_file_attr_check(a_fs_file, "tsk_fs_file_attr_get_type")) return NULL; if (a_id_used) return tsk_fs_attrlist_get_id(a_fs_file->meta->attr, a_type, a_id); else return tsk_fs_attrlist_get(a_fs_file->meta->attr, a_type);}/*** \ingroup fslib * Process a specific attribute in a file and call a callback function with the file contents. The callback will be * called with chunks of data that are fs->block_size or less. The address given in the callback * will be correct only for raw files (when the raw file contents were stored in the block). For * compressed and sparse files, the address may be zero. If the file system you are analyzing does * not have multiple attributes per file, then you can use tsk_fs_file_walk(). For incomplete or * corrupt files, some missing runs will be identified as SPARSE and zeros will be returned in the content. * * @param a_fs_file File to process * @param a_type Attribute type to process * @param a_id Id if attribute to process * @param a_flags Flags to use while processing file * @param a_action Callback action to call with content * @param a_ptr Pointer that will passed to callback * @returns 1 on error and 0 on success. */uint8_ttsk_fs_file_walk_type(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr){ const TSK_FS_ATTR *fs_attr; TSK_FS_INFO *fs; // clean up any error messages that are lying around tsk_error_reset(); // check the FS_INFO, FS_FILE structures if ((a_fs_file == NULL) || (a_fs_file->meta == NULL) || (a_fs_file->fs_info == NULL)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_walk: called with NULL pointers"); return 1; } else if ((a_fs_file->fs_info->tag != TSK_FS_INFO_TAG) || (a_fs_file->meta->tag != TSK_FS_META_TAG)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_walk: called with unallocated structures"); return 1; } fs = a_fs_file->fs_info; if (tsk_verbose) tsk_fprintf(stderr, "tsk_fs_file_walk: Processing file %" PRIuINUM "\n", a_fs_file->meta->addr); if ((fs_attr = tsk_fs_file_attr_get_type(a_fs_file, a_type, a_id, (a_flags & TSK_FS_FILE_WALK_FLAG_NOID) ? 0 : 1)) == NULL) return 1; return tsk_fs_attr_walk(fs_attr, a_flags, a_action, a_ptr);}/*** \ingroup fslib * Process a file and call a callback function with the file contents. The callback will be * called with chunks of data that are fs->block_size or less. The address given in the callback * will be correct only for raw files (when the raw file contents were stored in the block). For * compressed and sparse files, the address may be zero. If a file has multiple attributes, * such as NTFS files, this function uses the default one ($DATA for files, $IDX_ROOT for directories). * Use tsk_fs_file_walk_type to specify an attribute. * * @param a_fs_file File to process * @param a_flags Flags to use while processing file * @param a_action Callback action to call with content * @param a_ptr Pointer that will passed to callback * @returns 1 on error and 0 on success. */uint8_ttsk_fs_file_walk(TSK_FS_FILE * a_fs_file, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr){ const TSK_FS_ATTR *fs_attr; TSK_FS_INFO *fs; // clean up any error messages that are lying around tsk_error_reset(); // check the FS_INFO, FS_FILE structures if ((a_fs_file == NULL) || (a_fs_file->meta == NULL) || (a_fs_file->fs_info == NULL)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_walk: called with NULL pointers"); return 1; } else if ((a_fs_file->fs_info->tag != TSK_FS_INFO_TAG) || (a_fs_file->meta->tag != TSK_FS_META_TAG)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_walk: called with unallocated structures"); return 1; } fs = a_fs_file->fs_info; if (tsk_verbose) tsk_fprintf(stderr, "tsk_fs_file_walk: Processing file %" PRIuINUM "\n", a_fs_file->meta->addr); if ((fs_attr = tsk_fs_file_attr_get(a_fs_file)) == NULL) return 1; return tsk_fs_attr_walk(fs_attr, a_flags, a_action, a_ptr);}/*** \ingroup fslib * Read the contents of a specific attribute of a file using a typical read() type interface and be * able specify a specific attribute to read (applies only to file systems with multiple attributes * per file, such as NTFS). 0s are returned for missing runs of files. * * @param a_fs_file The file to read from * @param a_type The type of attribute to load * @param a_id The id of attribute to load (use 0 and set a_flags if you do not care) * @param a_offset The byte offset to start reading from. * @param a_buf The buffer to read the data into. * @param a_len The number of bytes to read from the file. * @param a_flags Flags to use while reading * @returns The number of bytes read or -1 on error. */ssize_ttsk_fs_file_read_type(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags){ TSK_FS_INFO *fs; const TSK_FS_ATTR *fs_attr; // clean up any error messages that are lying around tsk_error_reset(); // check the FS_INFO, FS_FILE structures if ((a_fs_file == NULL) || (a_fs_file->meta == NULL) || (a_fs_file->fs_info == NULL)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_read: called with NULL pointers"); return -1; } else if ((a_fs_file->fs_info->tag != TSK_FS_INFO_TAG) || (a_fs_file->meta->tag != TSK_FS_META_TAG)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_read: called with unallocated structures"); return -1; } fs = a_fs_file->fs_info; if ((fs_attr = tsk_fs_file_attr_get_type(a_fs_file, a_type, a_id, (a_flags & TSK_FS_FILE_READ_FLAG_NOID) ? 0 : 1)) == NULL) { return -1; } return tsk_fs_attr_read(fs_attr, a_offset, a_buf, a_len, a_flags);}/** * \ingroup fslib * Read the contents of a specific attribute of a file using a typical read() type interface. * 0s are returned for missing runs of files. * * @param a_fs_file The inode structure of the file to read. * @param a_offset The byte offset to start reading from. * @param a_buf The buffer to read the data into. * @param a_len The number of bytes to read from the file. * @param a_flags Flags to use while reading * @returns The number of bytes read or -1 on error. */ssize_ttsk_fs_file_read(TSK_FS_FILE * a_fs_file, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags){ const TSK_FS_ATTR *fs_attr; if ((a_fs_file == NULL) || (a_fs_file->fs_info == NULL)) { tsk_errno = TSK_ERR_FS_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_fs_file_read: fs_info is NULL"); return -1; } if ((fs_attr = tsk_fs_file_attr_get(a_fs_file)) == NULL) { return -1; } return tsk_fs_attr_read(fs_attr, a_offset, a_buf, a_len, a_flags);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -