Re: [sleuthkit-developers] win32 live bugs?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] win32 live bugs?
|
From: Darren B. <dar...@gm...> - 2008-07-21 20:20:01
|
Thanks for taking a look at this, replies inline. Darren. On Mon, Jul 21, 2008 at 6:37 PM, Brian Carrier <ca...@sl...> wrote: >> 2. Access to \\.\C: doesn't work on a live system as due to a sharing >> violation. I care about this because going via \\.\PhysicalDrive0 >> won't work for full disk encrypted drives. The problem is raw.c line >> 237 where the image file is opened FILE_SHARE_READ, this is normally >> correct, but in the case of volumes this will always fail. It is >> possible however to open as FILE_SHARE_WRITE and then read the volume. >> I have patched this and it works, but I guess we could add something >> that tries FILE_SHARE_READ, the falls back to FILE_SHARE_WRITE on >> failure. Happy to submit a patch for this if it is deemed useful. > > Ok, I'll add a variation of this in, but only if the path has the form of > "\\.\?:" because I don't want random WRITE opens occurring for image files. Note that the FILE_SHARE_WRITE designation doesn't open the file for writing, it designates how others should be able to access it, but this seems sensible anyway. http://msdn.microsoft.com/en-us/library/aa363874(VS.85).aspx http://blogs.msdn.com/larryosterman/archive/2004/05/13/131263.aspx > >> 3. When recompiling with VS 2005 i get some errors on execution on >> some hosts due to wrong versions of the msvc libs. Is there any reason >> we don't compile these libs in statically by default? given the use of >> these binaries it seems sensible and it only marginally affects the >> size. > > Can you compile them in statically? I didn't think you could. I figured it should be possible so went looking and found "Use of MFC" under: Project Properties -> Configuration Properties -> General -> Use of MFC Setting that to "Use MFC in a Static Library" for each sleuthkit project and recompiling it appears to work perfectly. Searching after the fact I found: http://msdn.microsoft.com/en-us/library/ms235264(VS.80).aspx http://msdn.microsoft.com/en-us/library/ms235316(VS.80).aspx Which advises against it, but I don't see any of the downsides being applicable in this instance. I did this under VC++ Express 2k8, but seems like it should work on any VS. |
