From 0c33daa14ac9954f0e5f3eb4f26e66f0b286674c Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Mon, 1 Jun 2009 21:25:55 +0000
Subject: [PATCH] Added feature 2206265 to add imgtools support to sigfind
---
CHANGES.txt | 3 ++
tools/srchtools/sigfind.cpp | 74 ++++++++++++++++---------------------
2 files changed, 35 insertions(+), 42 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 11c909620..59687e321 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -90,6 +90,9 @@ image formats supported by AFFLIB.
until after all image format open calls to support formats that do
not use actual files.
+6/1/09: Update: Added feature 2206265 to add imgtools layer support
+to sigfind.
+
---------------- VERSION 3.0.1 --------------
11/11/08: Bug Fix: Fixed crashing bug in ifind on FAT file system.
diff --git a/tools/srchtools/sigfind.cpp b/tools/srchtools/sigfind.cpp
index 26de114e1..53a025ba8 100644
--- a/tools/srchtools/sigfind.cpp
+++ b/tools/srchtools/sigfind.cpp
@@ -46,9 +46,10 @@ main(int argc, char **argv)
uint8_t block[1024];
char **err = NULL;
- int fd;
- int offset = 0, rel_offset = 0;
- int read_size = 512, bs = 512;
+ TSK_IMG_INFO *img_info;
+ TSK_OFF_T cur_offset;
+ int sig_offset = 0, rel_offset = 0;
+ int read_size, bs = 512;
daddr_t i, prev_hit;
int sig_size = 0;
uint8_t lit_end = 0;
@@ -78,9 +79,9 @@ main(int argc, char **argv)
case 'o':
- /* Get the offset in the sector */
- offset = strtol(optarg, err, 10);
- if ((offset == 0) || (errno == EINVAL)) {
+ /* Get the sig_offset in the sector */
+ sig_offset = strtol(optarg, err, 10);
+ if ((sig_offset == 0) || (errno == EINVAL)) {
fprintf(stderr, "Error converting offset value: %s\n",
optarg);
exit(1);
@@ -94,7 +95,7 @@ main(int argc, char **argv)
sig[0] = 0x53;
sig[1] = 0xef;
sig_size = 2;
- offset = 56;
+ sig_offset = 56;
bs = 512;
}
else if ((strcmp(optarg, "dospart") == 0) ||
@@ -104,7 +105,7 @@ main(int argc, char **argv)
sig[0] = 0x55;
sig[1] = 0xaa;
sig_size = 2;
- offset = 510;
+ sig_offset = 510;
bs = 512;
}
else if (strcmp(optarg, "ufs1") == 0) {
@@ -115,7 +116,7 @@ main(int argc, char **argv)
sig[3] = 0x00;
sig_size = 4;
/* Located 1372 into SB */
- offset = 348;
+ sig_offset = 348;
bs = 512;
}
else if (strcmp(optarg, "ufs2") == 0) {
@@ -126,7 +127,7 @@ main(int argc, char **argv)
sig[3] = 0x19;
sig_size = 4;
/* Located 1372 into SB */
- offset = 348;
+ sig_offset = 348;
bs = 512;
}
else if (strcmp(optarg, "hfs+") == 0) {
@@ -137,7 +138,7 @@ main(int argc, char **argv)
sig[3] = 0x04;
sig_size = 4;
/* Located 1024 into image */
- offset = 0;
+ sig_offset = 0;
bs = 512;
}
else if (strcmp(optarg, "hfs") == 0) {
@@ -146,7 +147,7 @@ main(int argc, char **argv)
sig[1] = 0x44;
sig_size = 2;
/* Located 1024 into image */
- offset = 0;
+ sig_offset = 0;
bs = 512;
}
else {
@@ -245,67 +246,60 @@ main(int argc, char **argv)
}
}
- if (offset < 0) {
- fprintf(stderr, "Error: negative offset\n");
+ if (sig_offset < 0) {
+ fprintf(stderr, "Error: negative signature offset\n");
exit(1);
}
/* Check that the signature and offset are not larger than a block */
- if ((offset + sig_size) > bs) {
+ if ((sig_offset + sig_size) > bs) {
fprintf(stderr,
"Error: The offset and signature sizes are greater than the block size\n");
exit(1);
}
+ read_size = 512;
/* If our signature crosses the 512 boundary, then read 1k at a time */
- if ((offset / 512) != ((offset + sig_size - 1) / 512)) {
+ if ((sig_offset / 512) != ((sig_offset + sig_size - 1) / 512)) {
read_size = 1024;
}
- rel_offset = offset % 512;
-
-
/* Get the image */
if (optind + 1 != argc) {
usage();
}
- fd = open(argv[optind], O_RDONLY);
- if (fd == -1) {
- fprintf(stderr, "error opening: %s\n", argv[optind]);
+ if ((img_info =
+ tsk_img_open_utf8_sing(argv[optind],
+ TSK_IMG_TYPE_DETECT)) == NULL) {
+ tsk_error_print(stderr);
exit(1);
}
- /* Seek to the correct block */
- if (offset > 512) {
- if (-1 == lseek(fd, (offset / 512) * 512, SEEK_SET)) {
- fprintf(stderr, "error doing initial seek\n");
- exit(1);
- }
- }
-
-
/* Make a version that can be more easily printed */
for (i = 0; i < sig_size; i++) {
sig_print |= (sig[i] << ((sig_size - 1 - i) * 8));
}
- printf("Block size: %d Offset: %d Signature: %X\n", bs, offset,
+ printf("Block size: %d Offset: %d Signature: %X\n", bs, sig_offset,
sig_print);
/* Loop through by blocks - we will read in block sized chunks
* so that we can be used on raw devices
*/
+ cur_offset = (sig_offset / 512) * 512;
+ rel_offset = sig_offset % 512;
prev_hit = -1;
for (i = 0;; i++) {
- int retval;
+ ssize_t retval;
/* Read the signature area */
- retval = read(fd, (void *) block, read_size);
- if (retval == 0)
+ retval = tsk_img_read(img_info, cur_offset,
+ (char *)block, read_size);
+ if (retval == 0) {
break;
-
+ }
else if (retval == -1) {
fprintf(stderr, "error reading bytes %lu\n",
(unsigned long) i);
@@ -325,13 +319,9 @@ main(int argc, char **argv)
prev_hit = i;
}
-
- /* Seek ahead another block */
- if (-1 == lseek(fd, bs - read_size, SEEK_CUR)) {
- break;
- }
+ cur_offset += bs;
}
- close(fd);
+ tsk_img_close(img_info);
exit(0);
}
--
GitLab