1 /**
2  *
3  * scan_sha1:
4  * plug-in demonstration that shows how to write a simple plug-in scanner that calculates
5  * the SHA1 of each sbuf. The hash is written to both the XML file and to the sha1 feature file.
6  *
7  * Don't use this in production systems! It has a histogram that isn't useful for most applications.
8  */
9 
10 #include "config.h" // needed for hash_t
11 
12 #include <iostream>
13 #include <sys/types.h>
14 
15 #include "dfxml_cpp/src/hash_t.h"
16 #include "dfxml_cpp/src/dfxml_writer.h"
17 #include "scan_sha1_test.h"
18 #include "scanner_params.h"
19 #include "scanner_set.h"
20 
21 feature_recorder *sha1_recorder  = nullptr;
scan_sha1_test(struct scanner_params & sp)22 void scan_sha1_test(struct scanner_params& sp) {
23     if (sp.phase == scanner_params::PHASE_INIT) {
24         /* Create a scanner_info block to register this scanner */
25         sp.info = std::make_unique<scanner_params::scanner_info>(scan_sha1_test);
26         sp.info->set_name("sha1_test");
27         sp.info->author = "Simson L. Garfinkel";
28         sp.info->description = "Compute the SHA1 of every sbuf.";
29         sp.info->url = "https://digitalcorpora.org/bulk_extractor";
30         sp.info->scanner_version = "1.0.0";
31         sp.info->pathPrefix = "SHA1";      // just use SHA1
32         sp.info->min_sbuf_size = 1;        // we can hash a single byte
33 
34         // specify the feature_records that the scanner wants.
35         // Note that the feature recorder does not need to be the same name as the scanner
36         // scanners may specify any number of feature recorders.
37         sp.info->feature_defs.push_back( feature_recorder_def("sha1_bufs") );
38 
39         // Note that histogram_defs is a set, so it's okay if this initialization routine is called twice,
40         // the histogram only gets inserted once.
41         histogram_def hd("test_histogram", "sha1_bufs", "^(.....)", "", "first5", histogram_def::flags_t(true, false));
42 
43         sp.info->feature_defs.push_back(feature_recorder_def("sha1_bufs"));
44         sp.info->histogram_defs.push_back(hd);
45         return;
46     }
47     if (sp.phase == scanner_params::PHASE_INIT2) {
48         sha1_recorder = &sp.named_feature_recorder("sha1_bufs");
49     }
50 
51     if (sp.phase == scanner_params::PHASE_SCAN) {
52         auto hexdigest = sp.sbuf->hash();
53 
54         /* Perhaps we want to cache getting the recorders? */
55         sha1_recorder->write(sp.sbuf->pos0, hexdigest, ""); // write the hash with no context
56         if (sp.ss->writer) {
57             sp.ss->writer->xmlout("hashdigest",hexdigest,"type='SHA1'",false);
58         }
59         return;
60     }
61 }
62