Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Pasquale R. <pjr...@gm...> - 2015-11-18 01:32:51
|
Efstatios,
Two things I see in the first code provided:
1. fs_file_block_number *+=* size / 4096; seem like it should be
fs_file_block_number *=* size / 4096, otherwise with each loop it should be
fs_file_block_number = 0 + 2, then fs_file_block_number = 2 + 2, etc for
the required loops.
2. inside the loop, the blockstring[i] isn't provided the right answers to
coincide with your addr printf's. the printf's should be
addr = 24172552
blockstring[0] = 24172552
addr = 24172553
blockstring[1] = 24172552
which would show the current address value which gets replaced (addr) is
being stored in your array (blockstring) which is incrementing and not
overwriting its value (0, 1, etc...)
When in doubt, debug the crap out of it with more minute variable
debug/printf statements.
Let me know if any of those help you out,
Pasquale
On Tue, Nov 17, 2015 at 4:43 PM, Efstratios Skleparis <esk...@gm...>
wrote:
> Dear all,
>
> I tried to implement a linked list like this :
>
> struct List {
> struct List *next;
> TSK_DADDR_T addr;
> };
>
> struct List *list; /*Global list*/
>
> void createL() {
> list = NULL;
> }
>
> void insertL(TSK_DADDR_T addr) {
> struct List *node;
>
> if (list == NULL) { /*First node of our list*/
> list = malloc(sizeof(struct List));
> list->next = NULL;
> list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate
> space*/
> if (list->addr == NULL) {
> printf("Error in insertL malloc \n");
> return;
> }
> list->addr = addr;
> printf(" First Node - InsertL, list - > addr : %lu\n", list->addr); //
> just for debugging
> } else {
> node = malloc(sizeof(struct List));
> node->next = list; /* This node becomes head of the list*/
> list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate
> space*/
> if (node->addr == NULL) {
> printf("Error in insertL malloc \n");
> return;
> }
> node->addr = addr;
> list = node;
> printf("____InsertL - > list - > addr : %lu\n", node->addr); // just for
> debugging
> }
> }
>
> void display(struct List *list)
> { // just print the list
> while (list != NULL)
> {
> printf("Direct Blocks: %lu\t", list->addr);
> list = list->next;
> }
> printf("\n");
> }
>
> void reversedisplay(struct List *head)
> { // print the list in reverse
> if (head != NULL)
> {
> reversedisplay(head->next);
> printf("%d\t", head->addr);
> }
> }
>
>
> ---------------------------------------------------------------------------------
>
> And in GetBlockAddress I am calling insertL like this :
>
>
> TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
> TSK_DADDR_T addr, char *buf, size_t size,
> TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr)
> {
>
> int s;
>
> if (flags & TSK_FS_BLOCK_FLAG_CONT) {
>
> /* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
>
> //printf("addr = %lu\n", addr );
>
> for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
> /* Parse all the blocks, every 4096 bytes */
>
>
> insertL(addr);
> printf("Blockstring after insertion = %lu\n", list->addr ); // just for
> debugging
>
> /* Calculate how many direct blocks the file has */
> fs_file_block_number += size / 4096;
>
> printf(" iteration [%d], s = %d \n", fs_file_block_number, s);
>
> } /* end of for*/
>
> } /* end of if*/
>
> return TSK_WALK_CONT;
>
> }// end of GetBlockAddress
>
>
> But still when i am printing the list on the main function i get this :
>
> First Node - InsertL, list - > addr : 24172552
> Blockstring after insertion = 24172552
> iteration [1], s = 4096
> ____InsertL - > list - > addr : 24172553
> Blockstring after insertion = 24172553
> iteration [2], s = 4096
>
> fs_file_block_number = 2 // just for debugging - correct
>
> //reverse(display)
> 34986192 24172553
>
> //display(list)
> Direct Blocks: 24172553 Direct Blocks: 34986192
>
> I still can't get the first block number !! Thought when I am calling the
> GetBlockAddress the direct block numbers inside the function is correct,
> when I am inserting it on the global list the number is correct again!!!
> But on main.c it's not I can only get the second block number ( my file has
> a size of 6113 bytes - > 2 blocks only - each block has 4096 size , Correct
> direct block numbers are : 24172552 and 24172553 verified by istat and
> checked on the raw storage )
>
> I am starting to believe there is a "problem" with the calling of :
> tsk_fs_file_walk(fs_file, (TSK_FS_FILE_WALK_FLAG_ENUM)(TSK_FS_FILE_WALK_FLAG_AONLY
> | TSK_FS_FILE_WALK_FLAG_SLACK), GetBlockAddress, NULL); Correct me if I
> am wrong or is it something with my implementation??
>
> Thanks again for your time,
> Efstratios
>
>
> On Tue, Nov 17, 2015 at 10:26 PM, Jean-François Gingras <
> jea...@gm...> wrote:
>
>> If I'm not mistaking, each time GetBlockAddress gets call, you
>> reinitialize your blockstring variable (malloc).
>>
>> You should probably use a linked list of TSK_DADDR_T object and add your
>> block in GetBlockAddress to that list.
>>
>> Or you could resize the array.
>>
>> Also, I'm not sure the size parameter of GetBlockAddress has anything to
>> do with the TSK_DADDR_T structure.
>>
>> Hope this will help
>> Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <esk...@gm...> a
>> écrit :
>>
>>> Pasquale,
>>>
>>> You are right, sorry ! here is what I have done :
>>>
>>>
>>> Global variables :
>>>
>>> TSK_DADDR_T *blockstring ; // array where i want to store block numbers
>>>
>>> int fs_file_block_number; // numbers of direct blocks per files
>>>
>>> GetBlockAddress Function code :
>>>
>>> TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
>>> TSK_DADDR_T addr, char *buf, size_t size,
>>> TSK_FS_BLOCK_FLAG_ENUM flags, void
>>> *ptr) {
>>>
>>> /*Memory Allocation for Block Addresses Array*/
>>> blockstring = malloc(size * sizeof(TSK_DADDR_T));
>>>
>>> int i = 0, s;
>>>
>>> if (flags & TSK_FS_BLOCK_FLAG_CONT) {
>>>
>>> /* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
>>>
>>> printf("addr = %lu\n", addr );
>>>
>>> for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
>>> /* Parse all the blocks, every 4096 bytes */
>>>
>>> if (addr) {
>>>
>>> blockstring[i] = addr;
>>> i++;
>>>
>>> /* Calculate how many direct blocks the file has */
>>> fs_file_block_number += size / 4096;
>>> s -= fs_file->fs_info->block_size;
>>>
>>> printf("blockstring[%d] = %lu\n", i, blockstring[i] );
>>> printf(" iteration [%d], s = %d \n", i, s);
>>>
>>> // tsk_printf("blockstring :%"
>>> // PRIuDADDR
>>> // "\n ", blockstring[fs_file_block_number]);
>>>
>>> // tsk_printf("[%d]\n", fs_file_block_number);
>>>
>>> }
>>> } /* end of for*/
>>>
>>> } /* end of if*/
>>>
>>> return TSK_WALK_CONT;
>>>
>>> }// end of GetBlockAddress
>>>
>>> How I call - use the above function in main :
>>>
>>>
>>> TSK_FS_FILE *fs_file = NULL;
>>>
>>>
>>> fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on
>>> inode number
>>>
>>> if ((fs_file != NULL) && (fs_file->meta != NULL)) {
>>> /* Error Checking*/
>>>
>>> if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {
>>>
>>> /*Ext4 file system*/
>>>
>>> tsk_fs_file_walk(fs_file,
>>> (TSK_FS_FILE_WALK_FLAG_ENUM)(
>>> TSK_FS_FILE_WALK_FLAG_AONLY |
>>> TSK_FS_FILE_WALK_FLAG_SLACK),
>>> GetBlockAddress, NULL);
>>>
>>>
>>> }
>>>
>>> }
>>>
>>> printf("\n fs_file_block_number = %d \n", fs_file_block_number);
>>> for (i = 0; i < fs_file_block_number; i++) {
>>> printf("Direct Blocks: %lu\n", blockstring[i] );
>>> }
>>>
>>>
>>> And the output i get is the following :
>>> >>> inside function printfs <<<
>>> addr = 24172552
>>> blockstring[1] = 0
>>> iteration [1], s = 0
>>> addr = 24172553
>>> blockstring[1] = 0
>>> iteration [1], s = 0
>>>
>>> >>> main printfs <<<
>>> fs_file_block_number = 2
>>>
>>> Direct Blocks: 24172553
>>>
>>> Direct Blocks: 0
>>>
>>> Thanks for your time,
>>> Efstratios
>>>
>>> On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <pjr...@gm...>
>>> wrote:
>>>
>>>> Efstratios,
>>>>
>>>> Without seeing the code, its hard to tell. It sounds like you have the
>>>> array initialization inside your looping function, which would reset the
>>>> array and then only store the last value in the loop since you just reset
>>>> the array.
>>>>
>>>> It's hard to say without seeing the code though. Its purely a guess
>>>> based on common mistakes I make when doing this kind of looping.
>>>>
>>>> Pasquale
>>>>
>>>> On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <
>>>> esk...@gm...> wrote:
>>>>
>>>>> Pasquale,
>>>>>
>>>>> Thanks a lot for the information you provided me :-) I finally managed
>>>>> to get the direct block pointers of a file !!
>>>>>
>>>>> That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on
>>>>> GetBlockAddress function! :-)
>>>>>
>>>>> My question is there a reason you can only "Save" the last one from
>>>>> NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something
>>>>> wrong? I am using C not C++ for my introspection tool.
>>>>>
>>>>> I tried using an array but still only NumberZ is saved the others are
>>>>> lost. . I placed some printfs and for some reason every time the array
>>>>> is initialized after it returns the NumberX, NumberY.
>>>>>
>>>>> Thanks a lot for your time and help,
>>>>> Efstratios
>>>>>
>>>>> On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...
>>>>> > wrote:
>>>>>
>>>>>> Efstratios,
>>>>>>
>>>>>> Check out this function on a program I am working on which
>>>>>> incorporates the sleuthkit c library functions. I calculate the direct
>>>>>> block addresses and store this value in my db table. The functions to look
>>>>>> at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions.
>>>>>> They are on lines: 517-588.
>>>>>>
>>>>>>
>>>>>> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp
>>>>>>
>>>>>> I hope it helps.
>>>>>> Pasquale
>>>>>>
>>>>>> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <
>>>>>> esk...@gm...> wrote:
>>>>>>
>>>>>>> Dear all,
>>>>>>>
>>>>>>> I am using Sleuth kit library in order to write an introspection
>>>>>>> tool for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my
>>>>>>> question is if we have the inode number of a file on a disk [ guest VM -
>>>>>>> *ext4* filesystem], for example 6031126 and want to handle the *direct
>>>>>>> block pointers of a file/directory* later in a program,how can we
>>>>>>> get them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the
>>>>>>> sleuth kit function *istat* inside my program like on istat.cpp
>>>>>>> program of the library:
>>>>>>>
>>>>>>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
>>>>>>> tsk_error_print(stderr);
>>>>>>> fs->close(fs);
>>>>>>> img->close(img);
>>>>>>> exit(1);
>>>>>>> }
>>>>>>>
>>>>>>> to get information about this inode and i got this :
>>>>>>>
>>>>>>> inode: 6031126
>>>>>>> Allocated
>>>>>>> Group: 736
>>>>>>> Generation Id: 3880935525
>>>>>>> uid / gid: 1000 / 1000
>>>>>>> mode: rrw-------
>>>>>>> Flags: Extents,
>>>>>>> size: 6613
>>>>>>> num of links: 1
>>>>>>>
>>>>>>> Inode Times:
>>>>>>> Accessed: 2015-11-12 17:47:55.857360000 (EET)
>>>>>>> File Modified: 2015-03-27 14:05:13.000000000 (EET)
>>>>>>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>>> File Created: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>>>
>>>>>>> Direct Blocks:
>>>>>>> 24172552 24172553
>>>>>>>
>>>>>>> I know the block numbers by calling that function but i don't know
>>>>>>> where they are stored and how to retrieve them in a variable..? in order to
>>>>>>> use them later in my tool!
>>>>>>>
>>>>>>> Any tips/suggestions or documentation would be appreciated!
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> sleuthkit-users mailing list
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>>>> http://www.sleuthkit.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>
|
