当前位置: 文江博客话题详情

使用 Sleuth Kit 函数 tsk_fs_open_img() 返回 FS 不是 FAT FS 的错误

发布于 2024-12-21 20:51:48 字数 2080 浏览 1 评论 0原文

我正在使用 Sleuth Kit Library 编写一个程序,该程序旨在打印 FAT32 文件系统的文件分配表。在我调用 tsk_fs_open_img() 函数之前,程序中的所有内容都工作正常。此时,程序返回错误并指出“无效的 magic 值(不是 FATFS 文件系统(magic))”。该 FS 确实是 FAT32 FS,我已经使用十六进制编辑器验证了神奇值(AA55 @ 偏移 1FE)。还使用 mmls 和 fls(Sleuth Kit 库中包含的命令行工具)处理我正在使用的驱动器映像,并显示它确实是 FAT32 FS,并且还为 FS 提供 63 的偏移量。

如果有人能帮助我弄清楚为什么这个功能不起作用,我将不胜感激。提前致谢。

以下是该函数 API 的链接: TSK_FS_OPEN_IMG()< /a>

这是我的代码:

using namespace std;

#include <tsk3/libtsk.h>
#include <iostream>
#include <string.h>

int main (int argc, const char * argv[])
{

TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;

TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32;
TSK_FS_INFO *fs;

TSK_DADDR_T imgOffset = 0x00000000;
TSK_OFF_T fsStartBlock = 0x00000063;

TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

const TSK_VS_PART_INFO *part;
TSK_PNUM_T partLocation = part -> addr;

TSK_TCHAR *driveName;
TSK_DADDR_T startAddress = 0x00000000;
TSK_DADDR_T numBlocksToRead = 0x00000001;
TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII;

int numOfDrives = 1;
uint sectorSize = 0;
uint8_t blockBytes = 0;

if (argc < 1) {
    printf("You must enter a drive name.\n");
    exit(EXIT_FAILURE);
}

driveName = (TSK_TCHAR*) argv[1];

cout << "\nOpening Drive\n\n";

if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) {
    tsk_error_print(stderr);
    exit(EXIT_FAILURE);
}

cout << "Drive opened successfuly.\n\n";

cout << "Opening File System\n\n";

if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
    tsk_error_print(stderr);
    if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
        tsk_fs_type_print(stderr);
    img -> close(img);
    exit(EXIT_FAILURE);
}

cout << "File system opened successfuly.\n\n";

blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead);

fs -> close(fs);
img -> close(img);
return 0;
}
原文

I am writing a program using the Sleuth Kit Library that is designed to printout the File Allocation Table of a FAT32 filesystem. Everything in my program works fine until I call the tsk_fs_open_img() function. At that point the program returns and error stating "Invalid magic value (Not a FATFS file system(magic))." The FS is indeed a FAT32 FS and I have verified the magic value (AA55 @ offset 1FE) using a hex editor. Also using mmls and fls, which are command-line tools included in the Sleuth Kit Library, work on this drive image that I am using and show that it is indeed a FAT32 FS and also provide the offset of 63 for the FS.

If anyone could help me figure out why this function is not working it would be greatly appreciated. Thanks in advance.

Here is the link to the API for the function: TSK_FS_OPEN_IMG()

Here is my code:

using namespace std;

#include <tsk3/libtsk.h>
#include <iostream>
#include <string.h>

int main (int argc, const char * argv[])
{

TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;

TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32;
TSK_FS_INFO *fs;

TSK_DADDR_T imgOffset = 0x00000000;
TSK_OFF_T fsStartBlock = 0x00000063;

TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

const TSK_VS_PART_INFO *part;
TSK_PNUM_T partLocation = part -> addr;

TSK_TCHAR *driveName;
TSK_DADDR_T startAddress = 0x00000000;
TSK_DADDR_T numBlocksToRead = 0x00000001;
TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII;

int numOfDrives = 1;
uint sectorSize = 0;
uint8_t blockBytes = 0;

if (argc < 1) {
    printf("You must enter a drive name.\n");
    exit(EXIT_FAILURE);
}

driveName = (TSK_TCHAR*) argv[1];

cout << "\nOpening Drive\n\n";

if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) {
    tsk_error_print(stderr);
    exit(EXIT_FAILURE);
}

cout << "Drive opened successfuly.\n\n";

cout << "Opening File System\n\n";

if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
    tsk_error_print(stderr);
    if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
        tsk_fs_type_print(stderr);
    img -> close(img);
    exit(EXIT_FAILURE);
}

cout << "File system opened successfuly.\n\n";

blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead);

fs -> close(fs);
img -> close(img);
return 0;
}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

终难遇 2024-12-28 20:51:48

tsk_fs_open_img 的偏移量参数以字节为单位,而不是扇区。因此,您需要将 fsStartBlock 乘以 img->sector_size

The offset argument to tsk_fs_open_img is in bytes, not sectors. So, you need to multiply fsStartBlock by img->sector_size.

回复 原文
~没有更多了~

关于作者

朕就是辣么酷

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

忆悲凉

文章 0 评论 0

hgfg1645

文章 0 评论 0

qq_qLPLYi

文章 0 评论 0

戏舞

文章 0 评论 0

殊姿

文章 0 评论 0

﹂绝世的画

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文