1 /*
2 * The Sleuth Kit
3 *
4 * Brian Carrier [carrier <at> sleuthkit [dot] org]
5 * Copyright (c) 2007-2011 Brian Carrier. All Rights reserved
6 *
7 * This software is distributed under the Common Public License 1.0
8 */
9
10 /** \file tsk_base.h
11 * Contains the type and function definitions that are needed
12 * by external programs to use the TSK library.
13 * Note that this file is not meant to be directly included.
14 * It is included by both libtsk.h and tsk_base_i.h.
15 */
16
17
18 /**
19 * \defgroup baselib C Base TSK Library Functions
20 * \defgroup baselib_cpp C++ Base TSK Library Classes
21 */
22
23 #ifndef _TSK_BASE_H
24 #define _TSK_BASE_H
25
26 // standard C header files
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <stdarg.h>
30
31 /** Version of code in number form.
32 * Upper byte is A, next is B, and next byte is C in version A.B.C.
33 * Lowest byte is 0xff, except in beta releases, in which case it
34 * increments from 1. Nightly snapshots will have upper byte as
35 * 0xff and next bytes with year, month, and date, respectively.
36 * Note that you will not be able to differentiate between snapshots
37 * from the trunk or branches with this method...
38 * For example, 3.1.2 would be stored as 0x030102FF.
39 * 3.1.2b1 would be 0x03010201. Snapshot from Jan 2, 2003 would be
40 * 0xFF030102.
41 * See TSK_VERSION_STR for string form. */
42 #define TSK_VERSION_NUM 0x041002ff
43
44 /** Version of code in string form. See TSK_VERSION_NUM for
45 * integer form. */
46 #define TSK_VERSION_STR "4.10.2"
47
48
49 /* include the TSK-specific header file that we created in autoconf
50 * On Win32 (Visual Studio) though, we will not have this file...
51 */
52 #if !defined(_MSC_VER)
53 #include "tsk/tsk_incs.h"
54 #endif
55
56 // get some other TSK / OS settings
57 #include "tsk_os.h"
58
59 #ifdef TSK_WIN32
60 #define strncasecmp _strnicmp
61 #endif
62
63 #ifdef __cplusplus
64 extern "C" {
65 #endif
66
67 #define TSK_ERROR_STRING_MAX_LENGTH 1024
68
69 typedef struct {
70 uint32_t t_errno;
71 char errstr[TSK_ERROR_STRING_MAX_LENGTH + 1];
72 char errstr2[TSK_ERROR_STRING_MAX_LENGTH + 1];
73 char errstr_print[TSK_ERROR_STRING_MAX_LENGTH + 1];
74 } TSK_ERROR_INFO;
75
76 /* The core function here is to retrieve the per-thread error structure. Other functions to follow
77 * are for convenience of performing common operations. */
78 extern TSK_ERROR_INFO *tsk_error_get_info();
79
80 extern uint32_t tsk_error_get_errno();
81 extern void tsk_error_set_errno(uint32_t t_errno);
82
83 #ifdef __GNUC__
84 #define TSK_ERROR_FORMAT_ATTRIBUTE(n,m) __attribute__((format (printf, n, m)))
85 #else
86 #define TSK_ERROR_FORMAT_ATTRIBUTE(n,m)
87 #endif
88
89 extern char *tsk_error_get_errstr();
90 extern void tsk_error_set_errstr(const char *format,
91 ...) TSK_ERROR_FORMAT_ATTRIBUTE(1, 2);
92 extern void tsk_error_vset_errstr(const char *format, va_list args);
93 extern char *tsk_error_get_errstr2();
94 extern void tsk_error_set_errstr2(const char *format,
95 ...) TSK_ERROR_FORMAT_ATTRIBUTE(1, 2);
96 extern void tsk_error_vset_errstr2(const char *format, va_list args);
97 extern void tsk_error_errstr2_concat(const char *format,
98 ...) TSK_ERROR_FORMAT_ATTRIBUTE(1, 2);
99
100 /** Return a human-readable form of tsk_error_get_errno **/
101 extern const char *tsk_error_get();
102
103 extern void tsk_error_print(FILE *);
104 extern void tsk_error_reset();
105
106
107 #ifdef TSK_MULTITHREAD_LIB
108 #ifdef TSK_WIN32
ti_usb3_readl(void __iomem * base,u32 offset)109 void *tsk_error_win32_get_per_thread_(unsigned struct_size);
110 typedef struct {
111 CRITICAL_SECTION critical_section;
112 } tsk_lock_t;
113
ti_usb3_writel(void __iomem * base,u32 offset,u32 value)114 // non-windows
115 #else
116 /* Note that there is an assumption that TSK_MULTITHREADED_LIB was
117 * set only if we have pthreads. If we add a check for HAVE_PTHREAD
118 * here, it causes problems when you try to include the library in
119 * a tool because they do not have tsk_config.h included.
120 */
121 #include <pthread.h>
122 typedef struct {
123 pthread_mutex_t mutex;
124 } tsk_lock_t;
125
126 #endif
127
128 // single threaded lib
129 #else
130 typedef struct {
131 void *dummy;
132 } tsk_lock_t;
133 #endif
134
135 /**
136 * Return values for some TSK functions that need to differentiate between errors and corrupt data.
ti_usb3_dpll_wait_lock(struct ti_usb_phy * phy)137 */
138 typedef enum {
139 TSK_OK, ///< Ok -- success
140 TSK_ERR, ///< System error -- should abort
141 TSK_COR, ///< Data is corrupt, can still process another set of data
142 TSK_STOP ///< Stop further processing, not an error though.
143 } TSK_RETVAL_ENUM;
144
145
146 typedef struct TSK_LIST TSK_LIST;
147 /**
148 * Linked list structure that holds a 'key' and optional 'length'.
ti_usb3_dpll_program(struct ti_usb_phy * phy)149 * Note that the data is stored in reverse sort order so that inserts
150 * are faster. Also note that the length is a negative number. A key of
151 * '6' and a len of '2' means that the run contains 6 and 5.
152 */
153 struct TSK_LIST {
154 TSK_LIST *next; ///< Pointer to next entry in list
155 uint64_t key; ///< Largest value in this run
156 uint64_t len; ///< Length of run (negative number, stored as positive)
157 };
158 extern uint8_t tsk_list_find(TSK_LIST * list, uint64_t key);
159 extern uint8_t tsk_list_add(TSK_LIST ** list, uint64_t key);
160 extern void tsk_list_free(TSK_LIST * list);
161
162
163 // note that the stack code is in this file and not internal for convenience to users
164 /**
165 * Basic stack structure to push and pop (used for finding loops in recursion).
166 */
167 typedef struct {
168 uint64_t *vals; ///< Array that contains the values in the stack
169 size_t top; ///< Index to the top stack entry
170 size_t len; ///< Number of entries in the stack
171 } TSK_STACK;
172
173 extern uint8_t tsk_stack_push(TSK_STACK * stack, uint64_t key);
174 extern void tsk_stack_pop(TSK_STACK * stack);
175 extern uint8_t tsk_stack_find(TSK_STACK * stack, uint64_t key);
176 extern void tsk_stack_free(TSK_STACK * stack);
177 extern TSK_STACK *tsk_stack_create();
178
179
180 // print internal UTF-8 strings to local platform Unicode format
181 extern void tsk_fprintf(FILE * fd, const char *msg, ...);
182 extern void tsk_printf(const char *msg, ...);
183
184 // print path removing special characters
185 extern int tsk_print_sanitized(FILE * fd, const char *str);
186
187
188 /** \name printf macros if system does not define them */
189 //@{
190 #ifndef PRIx64
191 #define PRIx64 "llx"
ti_usb2_phy_power(struct ti_usb_phy * phy,int on)192 #endif
193
194 #ifndef PRIX64
195 #define PRIX64 "llX"
196 #endif
197
198 #ifndef PRIu64
199 #define PRIu64 "llu"
200 #endif
201
202 #ifndef PRId64
203 #define PRId64 "lld"
204 #endif
205
206 #ifndef PRIo64
207 #define PRIo64 "llo"
208 #endif
209
210 #ifndef PRIx32
211 #define PRIx32 "x"
212 #endif
213
214 #ifndef PRIX32
215 #define PRIX32 "X"
216 #endif
217
218 #ifndef PRIu32
219 #define PRIu32 "u"
220 #endif
221
222 #ifndef PRId32
223 #define PRId32 "d"
224 #endif
225
226 #ifndef PRIx16
227 #define PRIx16 "hx"
228 #endif
229
230 #ifndef PRIX16
231 #define PRIX16 "hX"
232 #endif
233
234 #ifndef PRIu16
235 #define PRIu16 "hu"
236 #endif
237
238 #ifndef PRIu8
239 #define PRIu8 "hhu"
240 #endif
241
242 #ifndef PRIx8
243 #define PRIx8 "hhx"
244 #endif
245 //@}
246
247
248
249 /** @name Internal integer types and printf macros*/
250 //@{
251 typedef uint64_t TSK_INUM_T; ///< Data type used to internally store metadata / inode addresses
252 #define PRIuINUM PRIu64
253 #define PRIxINUM PRIx64
254
255 typedef uint32_t TSK_UID_T; ///< Data type used to internally store User IDs
256 #define PRIuUID PRIu32
257 #define PRIxUID PRIx32
258
259 typedef uint32_t TSK_GID_T; ///< Data type used to internally store Group IDs
260 #define PRIuGID PRIu32
261 #define PRIxGID PRIx32
262
263 typedef uint64_t TSK_DADDR_T; ///< Data type used to internally store sector and block addresses
264 #define PRIuDADDR PRIu64
265 #define PRIxDADDR PRIx64
ti_usb_phy_uboot_init(struct ti_usb_phy_device * dev)266
267 typedef int64_t TSK_OFF_T; ///< Data type used to internally store volume, file, etc. sizes and offsets
268 #define PRIxOFF PRIx64
269 #define PRIdOFF PRId64
270
271 typedef uint32_t TSK_PNUM_T; ///< Data type used to internally store partition addresses
272 #define PRIuPNUM PRIu32
273 #define PRIxPNUM PRIx32
274 //@}
275
276
277 extern void tsk_version_print(FILE *);
278 extern const char *tsk_version_get_str();
279
280
281 /*********** RETURN VALUES ************/
282
283 /**
284 * Values that callback functions can return to calling walk function.
285 */
286 typedef enum {
287 TSK_WALK_CONT = 0x0, ///< Walk function should continue to next object
288 TSK_WALK_STOP = 0x1, ///< Walk function should stop processing units and return OK
289 TSK_WALK_ERROR = 0x2 ///< Walk function should stop processing units and return error
290 } TSK_WALK_RET_ENUM;
291
292
293 /************ ERROR HANDLING *************/
294 //TODO: make this per-thread?
295 extern int tsk_verbose; ///< Set to 1 to have verbose debug messages printed to stderr
296
297
298 #define TSK_ERR_AUX 0x01000000
299 #define TSK_ERR_IMG 0x02000000
300 #define TSK_ERR_VS 0x04000000
301 #define TSK_ERR_FS 0x08000000
302 #define TSK_ERR_HDB 0x10000000
ti_usb_phy_uboot_exit(int index)303 #define TSK_ERR_AUTO 0x20000000
304 #define TSK_ERR_POOL 0x40000000
305 #define TSK_ERR_MASK 0x00ffffff
306
307 #define TSK_ERR_AUX_MALLOC (TSK_ERR_AUX | 0)
308 #define TSK_ERR_AUX_GENERIC (TSK_ERR_AUX | 2)
309 #define TSK_ERR_AUX_MAX 2
310
311 #define TSK_ERR_IMG_NOFILE (TSK_ERR_IMG | 0)
312 #define TSK_ERR_IMG_OFFSET (TSK_ERR_IMG | 1)
313 #define TSK_ERR_IMG_UNKTYPE (TSK_ERR_IMG | 2)
314 #define TSK_ERR_IMG_UNSUPTYPE (TSK_ERR_IMG | 3)
315 #define TSK_ERR_IMG_OPEN (TSK_ERR_IMG | 4)
316 #define TSK_ERR_IMG_STAT (TSK_ERR_IMG | 5)
317 #define TSK_ERR_IMG_SEEK (TSK_ERR_IMG | 6)
318 #define TSK_ERR_IMG_READ (TSK_ERR_IMG | 7)
319 #define TSK_ERR_IMG_READ_OFF (TSK_ERR_IMG | 8)
320 #define TSK_ERR_IMG_ARG (TSK_ERR_IMG | 9)
321 #define TSK_ERR_IMG_MAGIC (TSK_ERR_IMG | 10)
322 #define TSK_ERR_IMG_WRITE (TSK_ERR_IMG | 11)
323 #define TSK_ERR_IMG_CONVERT (TSK_ERR_IMG | 12)
324 #define TSK_ERR_IMG_PASSWD (TSK_ERR_IMG | 13)
325 #define TSK_ERR_IMG_MAX 14
326
327 #define TSK_ERR_VS_UNKTYPE (TSK_ERR_VS | 0)
328 #define TSK_ERR_VS_UNSUPTYPE (TSK_ERR_VS | 1)
329 #define TSK_ERR_VS_READ (TSK_ERR_VS | 2)
330 #define TSK_ERR_VS_MAGIC (TSK_ERR_VS | 3)
331 #define TSK_ERR_VS_WALK_RNG (TSK_ERR_VS | 4)
332 #define TSK_ERR_VS_BUF (TSK_ERR_VS | 5)
333 #define TSK_ERR_VS_BLK_NUM (TSK_ERR_VS | 6)
334 #define TSK_ERR_VS_ARG (TSK_ERR_VS | 7)
335 #define TSK_ERR_VS_MAX 8
336
337 #define TSK_ERR_POOL_UNKTYPE (TSK_ERR_POOL | 0)
338 #define TSK_ERR_POOL_UNSUPTYPE (TSK_ERR_IMG | 1)
339 #define TSK_ERR_POOL_ARG (TSK_ERR_POOL | 2)
340 #define TSK_ERR_POOL_GENPOOL (TSK_ERR_POOL | 3)
341 #define TSK_ERR_POOL_MAX 4
342
343 #define TSK_ERR_FS_UNKTYPE (TSK_ERR_FS | 0)
344 #define TSK_ERR_FS_UNSUPTYPE (TSK_ERR_FS | 1)
345 #define TSK_ERR_FS_UNSUPFUNC (TSK_ERR_FS | 2)
346 #define TSK_ERR_FS_WALK_RNG (TSK_ERR_FS | 3)
347 #define TSK_ERR_FS_READ (TSK_ERR_FS | 4)
348 #define TSK_ERR_FS_READ_OFF (TSK_ERR_FS | 5)
349 #define TSK_ERR_FS_ARG (TSK_ERR_FS | 6)
350 #define TSK_ERR_FS_BLK_NUM (TSK_ERR_FS | 7)
351 #define TSK_ERR_FS_INODE_NUM (TSK_ERR_FS | 8)
352 #define TSK_ERR_FS_INODE_COR (TSK_ERR_FS | 9)
353 #define TSK_ERR_FS_MAGIC (TSK_ERR_FS | 10)
354 #define TSK_ERR_FS_FWALK (TSK_ERR_FS | 11)
355 #define TSK_ERR_FS_WRITE (TSK_ERR_FS | 12)
356 #define TSK_ERR_FS_UNICODE (TSK_ERR_FS | 13)
357 #define TSK_ERR_FS_RECOVER (TSK_ERR_FS | 14)
358 #define TSK_ERR_FS_GENFS (TSK_ERR_FS | 15)
359 #define TSK_ERR_FS_CORRUPT (TSK_ERR_FS | 16)
360 #define TSK_ERR_FS_ATTR_NOTFOUND (TSK_ERR_FS | 17)
361 #define TSK_ERR_FS_MAX 18
362
363
364 #define TSK_ERR_HDB_UNKTYPE (TSK_ERR_HDB | 0)
365 #define TSK_ERR_HDB_UNSUPTYPE (TSK_ERR_HDB | 1)
366 #define TSK_ERR_HDB_READDB (TSK_ERR_HDB | 2)
367 #define TSK_ERR_HDB_READIDX (TSK_ERR_HDB | 3)
368 #define TSK_ERR_HDB_ARG (TSK_ERR_HDB | 4)
369 #define TSK_ERR_HDB_WRITE (TSK_ERR_HDB | 5)
370 #define TSK_ERR_HDB_CREATE (TSK_ERR_HDB | 6)
371 #define TSK_ERR_HDB_DELETE (TSK_ERR_HDB | 7)
372 #define TSK_ERR_HDB_MISSING (TSK_ERR_HDB | 8)
373 #define TSK_ERR_HDB_PROC (TSK_ERR_HDB | 9)
374 #define TSK_ERR_HDB_OPEN (TSK_ERR_HDB | 10)
375 #define TSK_ERR_HDB_CORRUPT (TSK_ERR_HDB | 11)
376 #define TSK_ERR_HDB_UNSUPFUNC (TSK_ERR_HDB | 11)
377 #define TSK_ERR_HDB_MAX 13
378
379 #define TSK_ERR_AUTO_DB (TSK_ERR_AUTO | 0)
380 #define TSK_ERR_AUTO_CORRUPT (TSK_ERR_AUTO | 1)
381 #define TSK_ERR_AUTO_UNICODE (TSK_ERR_AUTO | 2)
382 #define TSK_ERR_AUTO_NOTOPEN (TSK_ERR_AUTO | 3)
383 #define TSK_ERR_AUTO_MAX 4
384 //@}
385
386
387 /** \name Endian Ordering Functions */
388 //@{
389 /**
390 * Flag that identifies the endian ordering of the data being read.
391 */
392 typedef enum {
393 TSK_UNKNOWN_ENDIAN = 0x00, ///< Endianness is unknown
394 TSK_LIT_ENDIAN = 0x01, ///< Data is in little endian
395 TSK_BIG_ENDIAN = 0x02 ///< Data is in big endian
396 } TSK_ENDIAN_ENUM;
397
398 //@}
399
400
401
402 extern TSK_OFF_T tsk_parse_offset(const TSK_TCHAR *);
403 extern int tsk_parse_pnum(const TSK_TCHAR * a_pnum_str,
404 TSK_PNUM_T * a_pnum);
405
406
407
408 /** \name MD5 and SHA-1 hashing */
409 //@{
410
411 /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
412 rights reserved.
413
414 License to copy and use this software is granted provided that it
415 is identified as the "RSA Data Security, Inc. MD5 Message-Digest
416 Algorithm" in all material mentioning or referencing this software
417 or this function.
418
419 License is also granted to make and use derivative works provided
420 that such works are identified as "derived from the RSA Data
421 Security, Inc. MD5 Message-Digest Algorithm" in all material
422 mentioning or referencing the derived work.
423
424 RSA Data Security, Inc. makes no representations concerning either
425 the merchantability of this software or the suitability of this
426 software for any particular purpose. It is provided "as is"
427 without express or implied warranty of any kind.
428
429 These notices must be retained in any copies of any part of this
430 documentation and/or software.
431 */
432
433
434 /* POINTER defines a generic pointer type */
435 typedef unsigned char *POINTER;
436
437 /* UINT2 defines a two byte word */
438 //typedef unsigned short int UINT2;
439 typedef uint16_t UINT2;
440
441 /* UINT4 defines a four byte word */
442 typedef uint32_t UINT4;
443
444 /* Added for sha1 */
445 /* BYTE defines a unsigned character */
446 typedef uint8_t BYTE;
447
448 #ifndef TRUE
449 #define FALSE 0
450 #define TRUE ( !FALSE )
451 #endif /* TRUE */
452
453
454
455 /* MD5 context. */
456 #define TSK_MD5_DIGEST_LENGTH 16
457 typedef struct {
458 UINT4 state[4]; /* state (ABCD) */
459 UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */
460 unsigned char buffer[64]; /* input buffer */
461 } TSK_MD5_CTX;
462
463 void TSK_MD5_Init(TSK_MD5_CTX *);
464 void TSK_MD5_Update(TSK_MD5_CTX *, unsigned char *, unsigned int);
465 void TSK_MD5_Final(unsigned char[16], TSK_MD5_CTX *);
466
467
468
469 /* sha.h */
470
471 /* The structure for storing SHS info */
472 #define TSK_SHA_DIGEST_LENGTH 32
473 typedef struct {
474 UINT4 digest[5]; /* Message digest */
475 UINT4 countLo, countHi; /* 64-bit bit count */
476 UINT4 data[16]; /* SHS data buffer */
477 int Endianness;
478 } TSK_SHA_CTX;
479
480 /* Message digest functions */
481
482 void TSK_SHA_Init(TSK_SHA_CTX *);
483 void TSK_SHA_Update(TSK_SHA_CTX *, BYTE * buffer, int count);
484 void TSK_SHA_Final(BYTE * output, TSK_SHA_CTX *);
485
486 /* Flags for which type of hash(es) to run */
487 typedef enum{
488 TSK_BASE_HASH_INVALID_ID = 0,
489 TSK_BASE_HASH_MD5 = 0x01,
490 TSK_BASE_HASH_SHA1 = 0x02
491 //TSK_BASE_HASH_SHA256 = 0x04,
492 } TSK_BASE_HASH_ENUM;
493
494
495 //@}
496
497 #ifdef __cplusplus
498 }
499 #endif
500 #ifdef __cplusplus
501 #if 0
502 class TskStack {
503 private:
504 TSK_STACK * m_stack;
505
506 public:
507 /**
508 * Create a TSK_STACK structure. See tsk_stack_create() for details.
509 * @returns Pointer to structure or NULL on error
510 */
511 TskStack() {
512 m_stack = tsk_stack_create();
513 };
514 /**
515 * Free an allocated TSK_STACK structure. See tsk_stack_free() for details.
516 */
517 ~TskStack() {
518 tsk_stack_free(m_stack);
519 };
520 /**
521 * Pop a value from the top of the stack. See tsk_stack_pop() for details.
522 */
523 void pop() {
524 tsk_stack_pop(m_stack);
525 };
526 /**
527 * Push a value to the top of TSK_STACK. See tsk_stack_push() for details.
528 * @param a_val Value to push on
529 * @returns 1 on error
530 */
531 uint8_t push(uint64_t a_val) {
532 return tsk_stack_push(m_stack, a_val);
533 };
534 /**
535 * Search a TSK_STACK for a given value. See tsk_stack_find() for details.
536 * @param a_val Value to search for
537 * @returns 1 if found and 0 if not
538 */
539 uint8_t find(uint64_t a_val) {
540 return tsk_stack_find(m_stack, a_val);
541 };
542 /**
543 * Return Number of entries in the stack
544 * @returns number of entries in the stack
545 */
546 size_t length() {
547 if (m_stack != NULL)
548 return m_stack->len;
549 else
550 return 0;
551 };
552 };
553 #endif
554
555 /**
556 * \ingroup baselib_cpp
557 * Allows access to most recent error message and code in the thread.
558 */
559 class TskError {
560 public:
561 /**
562 * Return the string with the current error message. The string does not end with a
563 * newline. See tsk_error_get() for details.
564 *
565 * @returns String with error message or NULL if there is no error
566 */
567 static const char *get() {
568 return tsk_error_get();
569 };
570
571 /**
572 * Print the current error message to a file. See tsk_error_print() for details.
573 *
574 * @param a_hFile File to print message to
575 */
576 static void print(FILE * a_hFile) {
577 tsk_error_print(a_hFile);
578 };
579
580 /**
581 * Clear the error number and error message. See tsk_error_reset() for details.
582 */
583 static void reset() {
584 tsk_error_reset();
585 };
586 };
587
588 #endif
589 #endif
590