1 /*
2
3 File: file_vault.c
4
5 Copyright (C) 2011 Christophe GRENIER <grenier@cgsecurity.org>
6
7 This software is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License along
18 with this program; if not, write the Free Software Foundation, Inc., 51
19 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26 #ifdef HAVE_STRING_H
27 #include <string.h>
28 #endif
29 #include <stdio.h>
30 #include "types.h"
31 #include "filegen.h"
32
33 static void register_header_check_vault(file_stat_t *file_stat);
34
35 const file_hint_t file_hint_vault= {
36 .extension="vault",
37 .description="McAfee Anti-Theft/FileVault",
38 .max_filesize=PHOTOREC_MAX_FILE_SIZE,
39 .recover=1,
40 .enable_by_default=1,
41 .register_header_check=®ister_header_check_vault
42 };
43
44 /*
45 * 03200be0 00 00 00 38 65 31 39 37 34 32 30 2d 39 35 65 34 |...8e197420-95e4|
46 * 03200bf0 2d 34 36 33 33 2d 61 33 34 66 2d 34 61 66 64 36 |-4633-a34f-4afd6|
47 * 03200c00 30 64 61 62 64 64 37 00 |0dabdd7.|
48 * */
data_check_vault(const unsigned char * buffer,const unsigned int buffer_size,file_recovery_t * file_recovery)49 static data_check_t data_check_vault(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
50 {
51 if(buffer_size>8)
52 {
53 unsigned int i;
54 for(i=(buffer_size/2)-28;i+28<buffer_size;i++)
55 {
56 if(buffer[i]=='-' && buffer[i+5]=='-' && buffer[i+10]=='-' && buffer[i+15]=='-' && buffer[i+28]=='\0')
57 {
58 file_recovery->calculated_file_size=file_recovery->file_size+i+28+1-(buffer_size/2);
59 return DC_STOP;
60 }
61 }
62 }
63 file_recovery->calculated_file_size=file_recovery->file_size+(buffer_size/2);
64 return DC_CONTINUE;
65 }
66
header_check_vault(const unsigned char * buffer,const unsigned int buffer_size,const unsigned int safe_header_only,const file_recovery_t * file_recovery,file_recovery_t * file_recovery_new)67 static int header_check_vault(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
68 {
69 reset_file_recovery(file_recovery_new);
70 file_recovery_new->extension=file_hint_vault.extension;
71 file_recovery_new->data_check=&data_check_vault;
72 file_recovery_new->file_check=&file_check_size;
73 return 1;
74 }
75
register_header_check_vault(file_stat_t * file_stat)76 static void register_header_check_vault(file_stat_t *file_stat)
77 {
78 static const unsigned char vault_header[0x12]= {
79 'S' , 'a' , 'f' , 'e' , 'B' , 'o' , 'o' , 't' ,
80 'E' , 'n' , 'c' , 'V' , 'o' , 'l' , '1' , 0x00,
81 0x01, 0x01
82 };
83 register_header_check(0, vault_header, sizeof(vault_header), &header_check_vault, file_stat);
84 }
85