1 /**
2 *
3 * scan_sha1:
4 * plug-in demonstration that shows how to write a simple plug-in scanner that calculates
5 * the SHA1 of each sbuf. The hash is written to both the XML file and to the sha1 feature file.
6 *
7 * Don't use this in production systems! It has a histogram that isn't useful for most applications.
8 */
9
10 #include "config.h" // needed for hash_t
11
12 #include <iostream>
13 #include <sys/types.h>
14
15 #include "dfxml_cpp/src/hash_t.h"
16 #include "dfxml_cpp/src/dfxml_writer.h"
17 #include "scan_sha1_test.h"
18 #include "scanner_params.h"
19 #include "scanner_set.h"
20
21 feature_recorder *sha1_recorder = nullptr;
scan_sha1_test(struct scanner_params & sp)22 void scan_sha1_test(struct scanner_params& sp) {
23 if (sp.phase == scanner_params::PHASE_INIT) {
24 /* Create a scanner_info block to register this scanner */
25 sp.info = std::make_unique<scanner_params::scanner_info>(scan_sha1_test);
26 sp.info->set_name("sha1_test");
27 sp.info->author = "Simson L. Garfinkel";
28 sp.info->description = "Compute the SHA1 of every sbuf.";
29 sp.info->url = "https://digitalcorpora.org/bulk_extractor";
30 sp.info->scanner_version = "1.0.0";
31 sp.info->pathPrefix = "SHA1"; // just use SHA1
32 sp.info->min_sbuf_size = 1; // we can hash a single byte
33
34 // specify the feature_records that the scanner wants.
35 // Note that the feature recorder does not need to be the same name as the scanner
36 // scanners may specify any number of feature recorders.
37 sp.info->feature_defs.push_back( feature_recorder_def("sha1_bufs") );
38
39 // Note that histogram_defs is a set, so it's okay if this initialization routine is called twice,
40 // the histogram only gets inserted once.
41 histogram_def hd("test_histogram", "sha1_bufs", "^(.....)", "", "first5", histogram_def::flags_t(true, false));
42
43 sp.info->feature_defs.push_back(feature_recorder_def("sha1_bufs"));
44 sp.info->histogram_defs.push_back(hd);
45 return;
46 }
47 if (sp.phase == scanner_params::PHASE_INIT2) {
48 sha1_recorder = &sp.named_feature_recorder("sha1_bufs");
49 }
50
51 if (sp.phase == scanner_params::PHASE_SCAN) {
52 auto hexdigest = sp.sbuf->hash();
53
54 /* Perhaps we want to cache getting the recorders? */
55 sha1_recorder->write(sp.sbuf->pos0, hexdigest, ""); // write the hash with no context
56 if (sp.ss->writer) {
57 sp.ss->writer->xmlout("hashdigest",hexdigest,"type='SHA1'",false);
58 }
59 return;
60 }
61 }
62