1 /*- 2 *********************************************************************** 3 * 4 * $Id: decode.h,v 1.27 2014/07/18 06:40:44 mavrik Exp $ 5 * 6 *********************************************************************** 7 * 8 * Copyright 2000-2014 The FTimes Project, All Rights Reserved. 9 * 10 *********************************************************************** 11 */ 12 #ifndef _DECODE_H_INCLUDED 13 #define _DECODE_H_INCLUDED 14 15 /*- 16 *********************************************************************** 17 * 18 * Defines 19 * 20 *********************************************************************** 21 */ 22 #ifndef MESSAGE_SIZE 23 #define MESSAGE_SIZE 1024 24 #endif 25 26 #ifndef NEWLINE_LENGTH 27 #define NEWLINE_LENGTH 3 28 #endif 29 30 #define DECODE_CHECKPOINT_LENGTH 2 31 #define DECODE_CHECKPOINT_STRING "00" 32 #define DECODE_FIELDNAME_SIZE 32 33 #define DECODE_FIELD_COUNT 28 /* This value must be updated as new fields are added. */ 34 #ifndef FTIMES_MAX_LINE 35 #define DECODE_MAX_LINE 8192 36 #else 37 #define DECODE_MAX_LINE FTIMES_MAX_LINE 38 #endif 39 #ifndef FTIMES_MAX_PATH 40 #define DECODE_MAX_PATH 4096 41 #else 42 #define DECODE_MAX_PATH FTIMES_MAX_PATH 43 #endif 44 #define DECODE_SEPARATOR_C '|' 45 #define DECODE_SEPARATOR_S "|" 46 #define DECODE_TIME_FORMAT "%04d-%02d-%02d %02d:%02d:%02d" 47 #define DECODE_TIME_FORMAT_SIZE 20 48 49 /*- 50 *********************************************************************** 51 * 52 * Macros 53 * 54 *********************************************************************** 55 */ 56 #define DECODE_DEFINE_PREV_NUMBER_VALUE(field, pfield, value) field = value; pfield = &field; 57 #define DECODE_UNDEFINE_PREV_NUMBER_VALUE(field, pfield) field = 0; pfield = NULL; 58 59 /*- 60 *********************************************************************** 61 * 62 * Typedefs 63 * 64 *********************************************************************** 65 */ 66 typedef struct _DECODE_TABLE 67 { 68 char acZName[DECODE_FIELDNAME_SIZE]; 69 char acUName[DECODE_FIELDNAME_SIZE]; 70 int (*piRoutine) (); 71 } DECODE_TABLE; 72 73 typedef struct _DECODE_RECORD 74 { 75 char acLine[DECODE_MAX_LINE]; 76 char **ppcFields; 77 int iLineLength; 78 unsigned char aucHash[MD5_HASH_SIZE]; 79 } DECODE_RECORD; 80 81 typedef struct _DECODE_STATE 82 { 83 char name[DECODE_MAX_PATH]; 84 APP_UI32 dev; 85 APP_UI32 *pdev; 86 APP_UI32 inode; 87 APP_UI32 *pinode; 88 APP_UI32 volume; 89 APP_UI32 *pvolume; 90 APP_UI64 findex; 91 APP_UI64 *pfindex; 92 APP_UI32 mode; 93 APP_UI32 *pmode; 94 APP_UI32 attributes; 95 APP_UI32 *pattributes; 96 APP_UI32 nlink; 97 APP_UI32 *pnlink; 98 APP_UI32 uid; 99 APP_UI32 *puid; 100 APP_UI32 gid; 101 APP_UI32 *pgid; 102 APP_UI32 rdev; 103 APP_UI32 *prdev; 104 APP_UI32 atime; 105 APP_UI32 *patime; 106 APP_UI32 ams; 107 APP_UI32 *pams; 108 APP_UI32 mtime; 109 APP_UI32 *pmtime; 110 APP_UI32 mms; 111 APP_UI32 *pmms; 112 APP_UI32 ctime; 113 APP_UI32 *pctime; 114 APP_UI32 cms; 115 APP_UI32 *pcms; 116 APP_UI32 chtime; 117 APP_UI32 *pchtime; 118 APP_UI32 chms; 119 APP_UI32 *pchms; 120 APP_UI64 size; 121 APP_UI64 *psize; 122 APP_UI32 altstreams; 123 APP_UI32 *paltstreams; 124 } DECODE_STATE; 125 126 typedef struct _DECODE_STATS 127 { 128 unsigned long ulAnalyzed; 129 unsigned long ulDecoded; 130 unsigned long ulSkipped; 131 } DECODE_STATS; 132 133 typedef struct _SNAPSHOT_CONTEXT 134 { 135 char *pcFile; 136 #define DECODE_RECORD_COUNT 2 137 DECODE_RECORD asRecords[DECODE_RECORD_COUNT]; 138 DECODE_RECORD *psCurrRecord; 139 DECODE_RECORD *psPrevRecord; 140 DECODE_STATE sDecodeState; 141 DECODE_STATS sDecodeStats; 142 DECODE_TABLE *psDecodeMap; 143 FILE *pFile; 144 int iCompressed; 145 int aiIndex2Map[DECODE_FIELD_COUNT]; 146 int iFieldCount; 147 int iLegacyFile; 148 int iLineNumber; 149 int iNamesAreCaseInsensitive; 150 int iSkipToNext; 151 unsigned long ulFieldMask; 152 } SNAPSHOT_CONTEXT; 153 154 /*- 155 *********************************************************************** 156 * 157 * Function Prototypes 158 * 159 *********************************************************************** 160 */ 161 int Decode32BitHexToDecimal(char *pcData, int iLength, APP_UI32 *pui32ValueNew, APP_UI32 *pui32ValueOld, char *pcError); 162 int Decode64BitHexToDecimal(char *pcData, int iLength, APP_UI64 *pui64ValueNew, APP_UI64 *pui64ValueOld, char *pcError); 163 void DecodeBuildFromBase64Table(void); 164 void DecodeClearRecord(DECODE_RECORD *psRecord, int iFieldCount); 165 int DecodeFormatOutOfBandTime(char *pcToken, int iLength, char *pcOutput, char *pcError); 166 int DecodeFormatTime(APP_UI32 *pui32Time, char *pcTime); 167 void DecodeFreeSnapshotContext(SNAPSHOT_CONTEXT *psSnapshot); 168 int DecodeGetBase64Hash(char *pcData, unsigned char *pucHash, int iLength, char *pcError); 169 int DecodeGetTableLength(void); 170 SNAPSHOT_CONTEXT *DecodeNewSnapshotContext(char *pcError); 171 int DecodeOpenSnapshot(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 172 int DecodeParseHeader(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 173 int DecodeParseRecord(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 174 int DecodeProcessATime(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 175 int DecodeProcessATimeMs(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 176 int DecodeProcessAlternateDataStreams(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 177 int DecodeProcessAttributes(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 178 int DecodeProcessCTime(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 179 int DecodeProcessCTimeMs(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 180 int DecodeProcessChTime(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 181 int DecodeProcessChTimeMs(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 182 int DecodeProcessDevice(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 183 int DecodeProcessFileIndex(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 184 int DecodeProcessGroupId(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 185 int DecodeProcessInode(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 186 int DecodeProcessLinkCount(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 187 int DecodeProcessMTime(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 188 int DecodeProcessMTimeMs(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 189 int DecodeProcessMagic(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 190 int DecodeProcessMd5(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 191 int DecodeProcessMode(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 192 int DecodeProcessNada(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 193 int DecodeProcessName(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 194 int DecodeProcessRDevice(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 195 int DecodeProcessSha1(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 196 int DecodeProcessSha256(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 197 int DecodeProcessSize(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 198 int DecodeProcessUserId(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 199 int DecodeProcessVolume(DECODE_STATE *psDecodeState, char *pcToken, int iLength, char *pcOutput, char *pcError); 200 char *DecodeReadLine(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 201 int DecodeReadSnapshot(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 202 void DecodeSetNewLine(char *pcNewLine); 203 void DecodeSetOutputStream(FILE *pFile); 204 int DecodeWriteHeader(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 205 int DecodeWriteRecord(SNAPSHOT_CONTEXT *psSnapshot, char *pcError); 206 207 #endif /* !_DECODE_H_INCLUDED */ 208