Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
Sleuthkit
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IRT
Sleuthkit
Commits
dcca5734
Commit
dcca5734
authored
9 years ago
by
Eugene Livis
Browse files
Options
Downloads
Patches
Plain Diff
Added open/close/read methods for vhd format
parent
033e689a
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
tsk/img/tsk_img.h
+3
-2
3 additions, 2 deletions
tsk/img/tsk_img.h
tsk/img/vhd.c
+91
-93
91 additions, 93 deletions
tsk/img/vhd.c
with
94 additions
and
95 deletions
tsk/img/tsk_img.h
+
3
−
2
View file @
dcca5734
...
...
@@ -64,8 +64,9 @@ extern "C" {
TSK_IMG_TYPE_AFF_AFM
=
0x0010
,
///< AFM AFF Format
TSK_IMG_TYPE_AFF_ANY
=
0x0020
,
///< Any format supported by AFFLIB (including beta ones)
TSK_IMG_TYPE_EWF_EWF
=
0x0040
,
///< EWF version
TSK_IMG_TYPE_VMDK_VMDK
=
0x0080
,
///< VMDK version
TSK_IMG_TYPE_EWF_EWF
=
0x0040
,
///< EWF version
TSK_IMG_TYPE_VMDK_VMDK
=
0x0080
,
///< VMDK version
TSK_IMG_TYPE_VHD_VHD
=
0x0100
,
///< VHD version
TSK_IMG_TYPE_EXTERNAL
=
0x1000
,
///< external defined format which at least implements TSK_IMG_INFO, used by pytsk
TSK_IMG_TYPE_UNSUPP
=
0xffff
,
///< Unsupported disk image type
...
...
This diff is collapsed.
Click to expand it.
tsk/img/vhd.c
+
91
−
93
View file @
dcca5734
/*
* The Sleuth Kit - Add on for
VMDK (
Virtual
Machine Disk
) image support
* The Sleuth Kit - Add on for Virtual
Hard Disk (VHD
) image support
*
* Copyright (c) 2006, 2011 Joachim Metz <jbmetz@users.sourceforge.net>
*
...
...
@@ -20,19 +20,18 @@
#define TSK_VHDI_ERROR_STRING_SIZE 512
#if 0
/**
* Get error string from libv
mdk
and make buffer emtpy if that didn't work.
* Get error string from libv
hdi
and make buffer emtpy if that didn't work.
* @returns 1 if error message was not set
*/
static
uint8_t
getError(libv
mdk
_error_t * v
mdk
_error,
char error_string[TSK_V
MDK
_ERROR_STRING_SIZE])
getError
(
libv
hdi
_error_t
*
v
hdi
_error
,
char
error_string
[
TSK_V
HDI
_ERROR_STRING_SIZE
])
{
int
retval
;
error_string
[
0
]
=
'\0'
;
retval = libv
mdk
_error_backtrace_sprint(v
mdk
_error,
error_string, TSK_V
MDK
_ERROR_STRING_SIZE);
retval
=
libv
hdi
_error_backtrace_sprint
(
v
hdi
_error
,
error_string
,
TSK_V
HDI
_ERROR_STRING_SIZE
);
if
(
retval
)
return
1
;
return
0
;
...
...
@@ -40,59 +39,59 @@ getError(libvmdk_error_t * vmdk_error,
static
ssize_t
v
mdk
_image_read(TSK_IMG_INFO * img_info, TSK_OFF_T offset, char *buf,
v
hdi
_image_read
(
TSK_IMG_INFO
*
img_info
,
TSK_OFF_T
offset
,
char
*
buf
,
size_t
len
)
{
char error_string[TSK_V
MDK
_ERROR_STRING_SIZE];
libv
mdk
_error_t *v
mdk
_error = NULL;
char
error_string
[
TSK_V
HDI
_ERROR_STRING_SIZE
];
libv
hdi
_error_t
*
v
hdi
_error
=
NULL
;
ssize_t
cnt
;
IMG_V
MDK
_INFO *v
mdk
_info = (IMG_V
MDK
_INFO *) img_info;
IMG_V
HDI
_INFO
*
v
hdi
_info
=
(
IMG_V
HDI
_INFO
*
)
img_info
;
if
(
tsk_verbose
)
tsk_fprintf
(
stderr
,
"v
mdk
_image_read: byte offset: %" PRIuOFF " len: %" PRIuSIZE
"v
hdi
_image_read: byte offset: %"
PRIuOFF
" len: %"
PRIuSIZE
"
\n
"
,
offset
,
len
);
if
(
offset
>
img_info
->
size
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_READ_OFF
);
tsk_error_set_errstr("v
mdk
_image_read - %" PRIuOFF, offset);
tsk_error_set_errstr
(
"v
hdi
_image_read - %"
PRIuOFF
,
offset
);
return
-
1
;
}
tsk_take_lock(&(v
mdk
_info->read_lock));
tsk_take_lock
(
&
(
v
hdi
_info
->
read_lock
));
cnt = libv
mdk_hand
le_read_buffer_at_offset(v
mdk
_info->handle,
buf, len, offset, &v
mdk
_error);
cnt
=
libv
hdi_fi
le_read_buffer_at_offset
(
v
hdi
_info
->
handle
,
buf
,
len
,
offset
,
&
v
hdi
_error
);
if
(
cnt
<
0
)
{
char
*
errmsg
=
NULL
;
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_READ
);
if (getError(v
mdk
_error, error_string))
if
(
getError
(
v
hdi
_error
,
error_string
))
errmsg
=
strerror
(
errno
);
else
errmsg
=
error_string
;
tsk_error_set_errstr("v
mdk
_image_read - offset: %" PRIuOFF
tsk_error_set_errstr
(
"v
hdi
_image_read - offset: %"
PRIuOFF
" - len: %"
PRIuSIZE
" - %s"
,
offset
,
len
,
errmsg
);
tsk_release_lock(&(v
mdk
_info->read_lock));
tsk_release_lock
(
&
(
v
hdi
_info
->
read_lock
));
return
-
1
;
}
tsk_release_lock(&(v
mdk
_info->read_lock));
tsk_release_lock
(
&
(
v
hdi
_info
->
read_lock
));
return
cnt
;
}
static
void
v
mdk
_image_imgstat(TSK_IMG_INFO * img_info, FILE * hFile)
v
hdi
_image_imgstat
(
TSK_IMG_INFO
*
img_info
,
FILE
*
hFile
)
{
IMG_V
MDK
_INFO *v
mdk
_info = (IMG_V
MDK
_INFO *) img_info;
IMG_V
HDI
_INFO
*
v
hdi
_info
=
(
IMG_V
HDI
_INFO
*
)
img_info
;
tsk_fprintf
(
hFile
,
"IMAGE FILE INFORMATION
\n
"
);
tsk_fprintf
(
hFile
,
"--------------------------------------------
\n
"
);
tsk_fprintf(hFile, "Image Type:\t\tv
mdk
\n");
tsk_fprintf
(
hFile
,
"Image Type:
\t\t
v
hdi
\n
"
);
tsk_fprintf
(
hFile
,
"
\n
Size of data in bytes:
\t
%"
PRIuOFF
"
\n
"
,
img_info
->
size
);
...
...
@@ -101,165 +100,166 @@ vmdk_image_imgstat(TSK_IMG_INFO * img_info, FILE * hFile)
static
void
v
mdk
_image_close(TSK_IMG_INFO * img_info)
v
hdi
_image_close
(
TSK_IMG_INFO
*
img_info
)
{
int
i
;
char error_string[TSK_V
MDK
_ERROR_STRING_SIZE];
libv
mdk
_error_t *v
mdk
_error = NULL;
char
error_string
[
TSK_V
HDI
_ERROR_STRING_SIZE
];
libv
hdi
_error_t
*
v
hdi
_error
=
NULL
;
char
*
errmsg
=
NULL
;
IMG_V
MDK
_INFO *v
mdk
_info = (IMG_V
MDK
_INFO *) img_info;
IMG_V
HDI
_INFO
*
v
hdi
_info
=
(
IMG_V
HDI
_INFO
*
)
img_info
;
if( libv
mdk_hand
le_close(v
mdk
_info->handle, &v
mdk
_error ) != 0 )
if
(
libv
hdi_fi
le_close
(
v
hdi
_info
->
handle
,
&
v
hdi
_error
)
!=
0
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_AUX_GENERIC
);
if (getError(v
mdk
_error, error_string))
if
(
getError
(
v
hdi
_error
,
error_string
))
errmsg
=
strerror
(
errno
);
else
errmsg
=
error_string
;
tsk_error_set_errstr("v
mdk
_image_close: unable to close handle - %s", errmsg);
tsk_error_set_errstr
(
"v
hdi
_image_close: unable to close handle - %s"
,
errmsg
);
}
libv
mdk_hand
le_free(&(v
mdk
_info->handle), NULL);
if( libv
mdk_hand
le_free(&(v
mdk
_info->handle), &v
mdk
_error ) != 1 )
libv
hdi_fi
le_free
(
&
(
v
hdi
_info
->
handle
),
NULL
);
if
(
libv
hdi_fi
le_free
(
&
(
v
hdi
_info
->
handle
),
&
v
hdi
_error
)
!=
1
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_AUX_GENERIC
);
if (getError(v
mdk
_error, error_string))
if
(
getError
(
v
hdi
_error
,
error_string
))
errmsg
=
strerror
(
errno
);
else
errmsg
=
error_string
;
tsk_error_set_errstr("v
mdk
_image_close: unable to free handle - %s", errmsg);
tsk_error_set_errstr
(
"v
hdi
_image_close: unable to free handle - %s"
,
errmsg
);
}
for (i = 0; i < v
mdk
_info->num_imgs; i++) {
free(v
mdk
_info->images[i]);
for
(
i
=
0
;
i
<
v
hdi
_info
->
num_imgs
;
i
++
)
{
free
(
v
hdi
_info
->
images
[
i
]);
}
free(v
mdk
_info->images);
free
(
v
hdi
_info
->
images
);
tsk_deinit_lock(&(v
mdk
_info->read_lock));
tsk_deinit_lock
(
&
(
v
hdi
_info
->
read_lock
));
tsk_img_free
(
img_info
);
}
TSK_IMG_INFO
*
v
mdk
_open(int a_num_img,
v
hdi
_open
(
int
a_num_img
,
const
TSK_TCHAR
*
const
a_images
[],
unsigned
int
a_ssize
)
{
char error_string[TSK_V
MDK
_ERROR_STRING_SIZE];
libv
mdk
_error_t *v
mdk
_error = NULL;
char
error_string
[
TSK_V
HDI
_ERROR_STRING_SIZE
];
libv
hdi
_error_t
*
v
hdi
_error
=
NULL
;
int
result
=
0
;
int
i
;
IMG_V
MDK
_INFO *v
mdk
_info = NULL;
IMG_V
HDI
_INFO
*
v
hdi
_info
=
NULL
;
TSK_IMG_INFO
*
img_info
=
NULL
;
if
(
tsk_verbose
)
{
libv
mdk
_notify_set_verbose(1);
libv
mdk
_notify_set_stream(stderr, NULL);
libv
hdi
_notify_set_verbose
(
1
);
libv
hdi
_notify_set_stream
(
stderr
,
NULL
);
}
if ((v
mdk
_info =
(IMG_V
MDK
_INFO *) tsk_img_malloc(sizeof(IMG_V
MDK
_INFO))) ==
if
((
v
hdi
_info
=
(
IMG_V
HDI
_INFO
*
)
tsk_img_malloc
(
sizeof
(
IMG_V
HDI
_INFO
)))
==
NULL
)
{
return
NULL
;
}
v
mdk
_info->handle = NULL;
img_info = (TSK_IMG_INFO *) v
mdk
_info;
v
hdi
_info
->
handle
=
NULL
;
img_info
=
(
TSK_IMG_INFO
*
)
v
hdi
_info
;
v
mdk
_info->num_imgs = a_num_img;
if ((v
mdk
_info->images =
v
hdi
_info
->
num_imgs
=
a_num_img
;
if
((
v
hdi
_info
->
images
=
(
TSK_TCHAR
**
)
tsk_malloc
(
a_num_img
*
sizeof
(
TSK_TCHAR
*
)))
==
NULL
)
{
tsk_img_free(v
mdk
_info);
tsk_img_free
(
v
hdi
_info
);
return
NULL
;
}
for
(
i
=
0
;
i
<
a_num_img
;
i
++
)
{
if ((v
mdk
_info->images[i] =
if
((
v
hdi
_info
->
images
[
i
]
=
(
TSK_TCHAR
*
)
tsk_malloc
((
TSTRLEN
(
a_images
[
i
])
+
1
)
*
sizeof
(
TSK_TCHAR
)))
==
NULL
)
{
tsk_img_free(v
mdk
_info);
tsk_img_free
(
v
hdi
_info
);
return
NULL
;
}
TSTRNCPY(v
mdk
_info->images[i], a_images[i],
TSTRNCPY
(
v
hdi
_info
->
images
[
i
],
a_images
[
i
],
TSTRLEN
(
a_images
[
i
])
+
1
);
}
if (libv
mdk_hand
le_initialize(&(v
mdk
_info->handle), &v
mdk
_error) != 1) {
if
(
libv
hdi_fi
le_initialize
(
&
(
v
hdi
_info
->
handle
),
&
v
hdi
_error
)
!=
1
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_OPEN
);
getError(v
mdk
_error, error_string);
tsk_error_set_errstr("v
mdk
_open file: %" PRIttocTSK
getError
(
v
hdi
_error
,
error_string
);
tsk_error_set_errstr
(
"v
hdi
_open file: %"
PRIttocTSK
": Error initializing handle (%s)"
,
a_images
[
0
],
error_string
);
libv
mdk
_error_free(&v
mdk
_error);
libv
hdi
_error_free
(
&
v
hdi
_error
);
tsk_img_free(v
mdk
_info);
tsk_img_free
(
v
hdi
_info
);
if
(
tsk_verbose
!=
0
)
{
tsk_fprintf(stderr, "Unable to create v
mdk
handle\n");
tsk_fprintf
(
stderr
,
"Unable to create v
hdi
handle
\n
"
);
}
return
(
NULL
);
}
#if defined( TSK_WIN32 )
if (libv
mdk_hand
le_open_wide(v
mdk
_info->handle,
(const wchar_t *) v
mdk
_info->images[0],
LIBV
MDK
_OPEN_READ, &v
mdk
_error) != 1)
if
(
libv
hdi_fi
le_open_wide
(
v
hdi
_info
->
handle
,
(
const
wchar_t
*
)
v
hdi
_info
->
images
[
0
],
LIBV
HDI
_OPEN_READ
,
&
v
hdi
_error
)
!=
1
)
#else
if (libv
mdk_hand
le_open(v
mdk
_info->handle,
(const char *) v
mdk
_info->images,
LIBV
MDK
_OPEN_READ, &v
mdk
_error) != 1)
if
(
libv
hdi_fi
le_open
(
v
hdi
_info
->
handle
,
(
const
char
*
)
v
hdi
_info
->
images
,
LIBV
HDI
_OPEN_READ
,
&
v
hdi
_error
)
!=
1
)
#endif
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_OPEN
);
getError
(
v
mdk
_error
,
error_string
);
tsk_error_set_errstr
(
"v
mdk
_open file: %"
PRIttocTSK
getError
(
v
hdi
_error
,
error_string
);
tsk_error_set_errstr
(
"v
hdi
_open file: %"
PRIttocTSK
": Error opening (%s)"
,
a_images
[
0
],
error_string
);
libv
mdk
_error_free
(
&
v
mdk
_error
);
libv
hdi
_error_free
(
&
v
hdi
_error
);
tsk_img_free
(
v
mdk
_info
);
tsk_img_free
(
v
hdi
_info
);
if
(
tsk_verbose
!=
0
)
{
tsk_fprintf
(
stderr
,
"Error opening v
mdk
file
\n
"
);
tsk_fprintf
(
stderr
,
"Error opening v
hdi
file
\n
"
);
}
return
(
NULL
);
}
if
(
libvmdk_handle_open_extent_data_files
(
vmdk_info
->
handle
,
&
vmdk_error
)
!=
1
)
// ELTODO: if this works, add #if defined( TSK_WIN32 )
if
(
libvhdi_check_file_signature_wide
((
const
wchar_t
*
)
vhdi_info
->
images
[
0
],
&
vhdi_error
)
!=
1
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_OPEN
);
getError
(
v
mdk
_error
,
error_string
);
tsk_error_set_errstr
(
"v
mdk
_open file: %"
PRIttocTSK
": Error
opening extent data files
for image (%s)"
,
a_images
[
0
],
getError
(
v
hdi
_error
,
error_string
);
tsk_error_set_errstr
(
"v
hdi
_open file: %"
PRIttocTSK
": Error
checking file signature
for image (%s)"
,
a_images
[
0
],
error_string
);
libv
mdk
_error_free
(
&
v
mdk
_error
);
libv
hdi
_error_free
(
&
v
hdi
_error
);
tsk_img_free
(
v
mdk
_info
);
tsk_img_free
(
v
hdi
_info
);
if
(
tsk_verbose
!=
0
)
{
tsk_fprintf
(
stderr
,
"Error
opening vmdk extent data
file
s
\n
"
);
tsk_fprintf
(
stderr
,
"Error
checking file signature for vhd
file
\n
"
);
}
return
(
NULL
);
}
if
(
libv
mdk_hand
le_get_media_size
(
v
mdk
_info
->
handle
,
(
size64_t
*
)
&
(
img_info
->
size
),
&
v
mdk
_error
)
!=
1
)
{
if
(
libv
hdi_fi
le_get_media_size
(
v
hdi
_info
->
handle
,
(
size64_t
*
)
&
(
img_info
->
size
),
&
v
hdi
_error
)
!=
1
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_IMG_OPEN
);
getError
(
v
mdk
_error
,
error_string
);
tsk_error_set_errstr
(
"v
mdk
_open file: %"
PRIttocTSK
getError
(
v
hdi
_error
,
error_string
);
tsk_error_set_errstr
(
"v
hdi
_open file: %"
PRIttocTSK
": Error getting size of image (%s)"
,
a_images
[
0
],
error_string
);
libv
mdk
_error_free
(
&
v
mdk
_error
);
libv
hdi
_error_free
(
&
v
hdi
_error
);
tsk_img_free
(
v
mdk
_info
);
tsk_img_free
(
v
hdi
_info
);
if
(
tsk_verbose
!=
0
)
{
tsk_fprintf
(
stderr
,
"Error getting size of v
mdk
file
\n
"
);
tsk_fprintf
(
stderr
,
"Error getting size of v
hdi
file
\n
"
);
}
return
(
NULL
);
}
...
...
@@ -270,17 +270,15 @@ vmdk_open(int a_num_img,
else
{
img_info
->
sector_size
=
512
;
}
img_info
->
itype
=
TSK_IMG_TYPE_V
MDK_VMDK
;
img_info
->
read
=
&
v
mdk
_image_read
;
img_info
->
close
=
&
v
mdk
_image_close
;
img_info
->
imgstat
=
&
v
mdk
_image_imgstat
;
img_info
->
itype
=
TSK_IMG_TYPE_V
HD_VHD
;
img_info
->
read
=
&
v
hdi
_image_read
;
img_info
->
close
=
&
v
hdi
_image_close
;
img_info
->
imgstat
=
&
v
hdi
_image_imgstat
;
// initialize the read lock
tsk_init_lock
(
&
(
v
mdk
_info
->
read_lock
));
tsk_init_lock
(
&
(
v
hdi
_info
->
read_lock
));
return
(
img_info
);
}
#endif //0
#endif
/* HAVE_LIBVMDK */
#endif
/* HAVE_LIBVHDI */
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
