Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Efstratios S. <esk...@gm...> - 2015-11-17 21:43:50
|
Dear all,
I tried to implement a linked list like this :
struct List {
struct List *next;
TSK_DADDR_T addr;
};
struct List *list; /*Global list*/
void createL() {
list = NULL;
}
void insertL(TSK_DADDR_T addr) {
struct List *node;
if (list == NULL) { /*First node of our list*/
list = malloc(sizeof(struct List));
list->next = NULL;
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate
space*/
if (list->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
list->addr = addr;
printf(" First Node - InsertL, list - > addr : %lu\n", list->addr); // just
for debugging
} else {
node = malloc(sizeof(struct List));
node->next = list; /* This node becomes head of the list*/
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate
space*/
if (node->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
node->addr = addr;
list = node;
printf("____InsertL - > list - > addr : %lu\n", node->addr); // just for
debugging
}
}
void display(struct List *list)
{ // just print the list
while (list != NULL)
{
printf("Direct Blocks: %lu\t", list->addr);
list = list->next;
}
printf("\n");
}
void reversedisplay(struct List *head)
{ // print the list in reverse
if (head != NULL)
{
reversedisplay(head->next);
printf("%d\t", head->addr);
}
}
---------------------------------------------------------------------------------
And in GetBlockAddress I am calling insertL like this :
TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
TSK_DADDR_T addr, char *buf, size_t size,
TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {
int s;
if (flags & TSK_FS_BLOCK_FLAG_CONT) {
/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
//printf("addr = %lu\n", addr );
for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */
insertL(addr);
printf("Blockstring after insertion = %lu\n", list->addr ); // just for
debugging
/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
printf(" iteration [%d], s = %d \n", fs_file_block_number, s);
} /* end of for*/
} /* end of if*/
return TSK_WALK_CONT;
}// end of GetBlockAddress
But still when i am printing the list on the main function i get this :
First Node - InsertL, list - > addr : 24172552
Blockstring after insertion = 24172552
iteration [1], s = 4096
____InsertL - > list - > addr : 24172553
Blockstring after insertion = 24172553
iteration [2], s = 4096
fs_file_block_number = 2 // just for debugging - correct
//reverse(display)
34986192 24172553
//display(list)
Direct Blocks: 24172553 Direct Blocks: 34986192
I still can't get the first block number !! Thought when I am calling the
GetBlockAddress the direct block numbers inside the function is correct,
when I am inserting it on the global list the number is correct again!!!
But on main.c it's not I can only get the second block number ( my file has
a size of 6113 bytes - > 2 blocks only - each block has 4096 size , Correct
direct block numbers are : 24172552 and 24172553 verified by istat and
checked on the raw storage )
I am starting to believe there is a "problem" with the calling of :
tsk_fs_file_walk(fs_file,
(TSK_FS_FILE_WALK_FLAG_ENUM)(TSK_FS_FILE_WALK_FLAG_AONLY
| TSK_FS_FILE_WALK_FLAG_SLACK), GetBlockAddress, NULL); Correct me if I
am wrong or is it something with my implementation??
Thanks again for your time,
Efstratios
On Tue, Nov 17, 2015 at 10:26 PM, Jean-François Gingras <
jea...@gm...> wrote:
> If I'm not mistaking, each time GetBlockAddress gets call, you
> reinitialize your blockstring variable (malloc).
>
> You should probably use a linked list of TSK_DADDR_T object and add your
> block in GetBlockAddress to that list.
>
> Or you could resize the array.
>
> Also, I'm not sure the size parameter of GetBlockAddress has anything to
> do with the TSK_DADDR_T structure.
>
> Hope this will help
> Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <esk...@gm...> a
> écrit :
>
>> Pasquale,
>>
>> You are right, sorry ! here is what I have done :
>>
>>
>> Global variables :
>>
>> TSK_DADDR_T *blockstring ; // array where i want to store block numbers
>>
>> int fs_file_block_number; // numbers of direct blocks per files
>>
>> GetBlockAddress Function code :
>>
>> TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
>> TSK_DADDR_T addr, char *buf, size_t size,
>> TSK_FS_BLOCK_FLAG_ENUM flags, void
>> *ptr) {
>>
>> /*Memory Allocation for Block Addresses Array*/
>> blockstring = malloc(size * sizeof(TSK_DADDR_T));
>>
>> int i = 0, s;
>>
>> if (flags & TSK_FS_BLOCK_FLAG_CONT) {
>>
>> /* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
>>
>> printf("addr = %lu\n", addr );
>>
>> for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
>> /* Parse all the blocks, every 4096 bytes */
>>
>> if (addr) {
>>
>> blockstring[i] = addr;
>> i++;
>>
>> /* Calculate how many direct blocks the file has */
>> fs_file_block_number += size / 4096;
>> s -= fs_file->fs_info->block_size;
>>
>> printf("blockstring[%d] = %lu\n", i, blockstring[i] );
>> printf(" iteration [%d], s = %d \n", i, s);
>>
>> // tsk_printf("blockstring :%"
>> // PRIuDADDR
>> // "\n ", blockstring[fs_file_block_number]);
>>
>> // tsk_printf("[%d]\n", fs_file_block_number);
>>
>> }
>> } /* end of for*/
>>
>> } /* end of if*/
>>
>> return TSK_WALK_CONT;
>>
>> }// end of GetBlockAddress
>>
>> How I call - use the above function in main :
>>
>>
>> TSK_FS_FILE *fs_file = NULL;
>>
>>
>> fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on
>> inode number
>>
>> if ((fs_file != NULL) && (fs_file->meta != NULL)) {
>> /* Error Checking*/
>>
>> if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {
>>
>> /*Ext4 file system*/
>>
>> tsk_fs_file_walk(fs_file,
>> (TSK_FS_FILE_WALK_FLAG_ENUM)(
>> TSK_FS_FILE_WALK_FLAG_AONLY |
>> TSK_FS_FILE_WALK_FLAG_SLACK),
>> GetBlockAddress, NULL);
>>
>>
>> }
>>
>> }
>>
>> printf("\n fs_file_block_number = %d \n", fs_file_block_number);
>> for (i = 0; i < fs_file_block_number; i++) {
>> printf("Direct Blocks: %lu\n", blockstring[i] );
>> }
>>
>>
>> And the output i get is the following :
>> >>> inside function printfs <<<
>> addr = 24172552
>> blockstring[1] = 0
>> iteration [1], s = 0
>> addr = 24172553
>> blockstring[1] = 0
>> iteration [1], s = 0
>>
>> >>> main printfs <<<
>> fs_file_block_number = 2
>>
>> Direct Blocks: 24172553
>>
>> Direct Blocks: 0
>>
>> Thanks for your time,
>> Efstratios
>>
>> On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <pjr...@gm...>
>> wrote:
>>
>>> Efstratios,
>>>
>>> Without seeing the code, its hard to tell. It sounds like you have the
>>> array initialization inside your looping function, which would reset the
>>> array and then only store the last value in the loop since you just reset
>>> the array.
>>>
>>> It's hard to say without seeing the code though. Its purely a guess
>>> based on common mistakes I make when doing this kind of looping.
>>>
>>> Pasquale
>>>
>>> On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <
>>> esk...@gm...> wrote:
>>>
>>>> Pasquale,
>>>>
>>>> Thanks a lot for the information you provided me :-) I finally managed
>>>> to get the direct block pointers of a file !!
>>>>
>>>> That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on
>>>> GetBlockAddress function! :-)
>>>>
>>>> My question is there a reason you can only "Save" the last one from
>>>> NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something
>>>> wrong? I am using C not C++ for my introspection tool.
>>>>
>>>> I tried using an array but still only NumberZ is saved the others are
>>>> lost. . I placed some printfs and for some reason every time the array
>>>> is initialized after it returns the NumberX, NumberY.
>>>>
>>>> Thanks a lot for your time and help,
>>>> Efstratios
>>>>
>>>> On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...>
>>>> wrote:
>>>>
>>>>> Efstratios,
>>>>>
>>>>> Check out this function on a program I am working on which
>>>>> incorporates the sleuthkit c library functions. I calculate the direct
>>>>> block addresses and store this value in my db table. The functions to look
>>>>> at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions.
>>>>> They are on lines: 517-588.
>>>>>
>>>>>
>>>>> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp
>>>>>
>>>>> I hope it helps.
>>>>> Pasquale
>>>>>
>>>>> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <
>>>>> esk...@gm...> wrote:
>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> I am using Sleuth kit library in order to write an introspection tool
>>>>>> for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my
>>>>>> question is if we have the inode number of a file on a disk [ guest VM -
>>>>>> *ext4* filesystem], for example 6031126 and want to handle the *direct
>>>>>> block pointers of a file/directory* later in a program,how can we
>>>>>> get them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the
>>>>>> sleuth kit function *istat* inside my program like on istat.cpp
>>>>>> program of the library:
>>>>>>
>>>>>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
>>>>>> tsk_error_print(stderr);
>>>>>> fs->close(fs);
>>>>>> img->close(img);
>>>>>> exit(1);
>>>>>> }
>>>>>>
>>>>>> to get information about this inode and i got this :
>>>>>>
>>>>>> inode: 6031126
>>>>>> Allocated
>>>>>> Group: 736
>>>>>> Generation Id: 3880935525
>>>>>> uid / gid: 1000 / 1000
>>>>>> mode: rrw-------
>>>>>> Flags: Extents,
>>>>>> size: 6613
>>>>>> num of links: 1
>>>>>>
>>>>>> Inode Times:
>>>>>> Accessed: 2015-11-12 17:47:55.857360000 (EET)
>>>>>> File Modified: 2015-03-27 14:05:13.000000000 (EET)
>>>>>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>> File Created: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>>
>>>>>> Direct Blocks:
>>>>>> 24172552 24172553
>>>>>>
>>>>>> I know the block numbers by calling that function but i don't know
>>>>>> where they are stored and how to retrieve them in a variable..? in order to
>>>>>> use them later in my tool!
>>>>>>
>>>>>> Any tips/suggestions or documentation would be appreciated!
>>>>>> Thanks in advance!
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> sleuthkit-users mailing list
>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>>> http://www.sleuthkit.org
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
|
