c_FileTypeSigModule/FileTypeModule.cpp at master · peterclemenko/c_FileTypeSigModule · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
/*
 * The Sleuth Kit
 *
 * Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
 * Copyright (c) 2010-2012 Basis Technology Corporation. All Rights
 * reserved.
 *
 * This software is distributed under the Common Public License 1.0
 */

/**
 * \file FileTypeSigModule.cpp
 * Contains the module that uses libmagic to determine the
 * file type based on signatures.
 */

// System includes
#include <string>
#include <windows.h>
#include <sstream>
#include <stdlib.h>

// Framework includes
#include "TskModuleDev.h"

// Poco includes
#include "Poco/UnicodeConverter.h"
#include "Poco/File.h"
#include "Poco/Path.h"

// Magic includes
#include "magic.h"

static const uint32_t FILE_BUFFER_SIZE = 1024;

static magic_t magicHandle = NULL;

extern "C"
{
    /**
     * Module identification function.
     *
     * @return The name of the module.
     */
    TSK_MODULE_EXPORT const char *name()
    {
        return "FileTypeSigModule";
    }

    /**
     * Module identification function.
     *
     * @return A description of the module.
     */
    TSK_MODULE_EXPORT const char *description()
    {
        return "Determines file type based on signature using libmagic";
    }

    /**
     * Module identification function.
     *
     * @return The version of the module.
     */
    TSK_MODULE_EXPORT const char *version()
    {
        return "1.0.2";
    }

    /**
     * Module initialization function. Takes a string as input that allows
     * arguments to be passed into the module.
     * @param arguments Tells the module which
     */
    TskModule::Status TSK_MODULE_EXPORT initialize(const char* arguments)
    {
        magicHandle = magic_open(MAGIC_NONE);

        std::string path = GetSystemProperty(TskSystemProperties::MODULE_DIR) + Poco::Path::separator() + name() + Poco::Path::separator() + "magic.mgc";

        Poco::File magicFile = Poco::File(path);
        if (magicFile.exists() == false) {
            std::wstringstream msg;
            msg << L"FileTypeSigModule: Magic file not found";
            LOGERROR(msg.str());
            return TskModule::FAIL;
        }

        if (magic_load(magicHandle, path.c_str())) {
            std::wstringstream msg;
            msg << L"FileTypeSigModule: Error loading magic file: " << magic_error(magicHandle) << GetSystemPropertyW(TskSystemProperties::MODULE_DIR);
            LOGERROR(msg.str());
            return TskModule::FAIL;
        }

        return TskModule::OK;
    }

    /**
     * The run() method is where the module's work is performed.
     * The module will be passed a pointer to a file from which both
     * content and metadata can be retrieved.
     * @param pFile A pointer to a file to be processed.
     * @returns TskModule::OK on success and TskModule::FAIL on error.
     */
    TskModule::Status TSK_MODULE_EXPORT run(TskFile * pFile)
    {
        if (pFile == NULL)
        {
            LOGERROR("FileTypeSigModule: Passed NULL file pointer.");
            return TskModule::FAIL;
        }

        if (pFile->getSize() == 0)
            return TskModule::OK;

        try
        {
            char buffer[FILE_BUFFER_SIZE];

            //Do that magic magic
            ssize_t readLen = pFile->read(buffer, FILE_BUFFER_SIZE);
            // we shouldn't get zero as a return value since we know the file is not 0 sized at this point
            if (readLen <= 0) {
                std::stringstream msg;
                msg << "FileTypeSigModule: Error reading file contents for file " << pFile->getId();
                LOGERROR(msg.str());
                return TskModule::FAIL;
            }

            const char *type = magic_buffer(magicHandle, buffer, readLen);
            if (type == NULL) {
                std::stringstream msg;
                msg << "FileTypeSigModule: Error getting file type: " << magic_error(magicHandle);
                LOGERROR(msg.str());
                return TskModule::FAIL;
            }

            // clean up type -- we've seen invalid UTF-8 data being returned
            char cleanType[1024];
            cleanType[1023] = '\0';
            strncpy(cleanType, type, 1023);
            TskUtilities::cleanUTF8(cleanType);

            // Add to blackboard
            TskBlackboardAttribute attr(TSK_FILE_TYPE_SIG, name(), "", cleanType);
            pFile->addGenInfoAttribute(attr);
        }
        catch (TskException& tskEx)
        {
            std::stringstream msg;
            msg << "FileTypeModule: Caught framework exception: " << tskEx.message();
            LOGERROR(msg.str());
            return TskModule::FAIL;
        }
        catch (std::exception& ex)
        {
            std::stringstream msg;
            msg << "FileTypeModule: Caught exception: " << ex.what();
            LOGERROR(msg.str());
            return TskModule::FAIL;
        }

        return TskModule::OK;
    }

    TskModule::Status TSK_MODULE_EXPORT finalize()
    {
        return TskModule::OK;
    }
}