-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fileextractor: linux edition #1788
base: main
Are you sure you want to change the base?
Conversation
Can one of the admins verify this patch? |
@drakvuf-jenkins Test this please |
There is an error on ci: VMI_ERROR: VMI_ERROR: xen_read_disk: vbd is inactive or error occured It's hard to say what exactly this error is related to, but I'll assume:
|
@drakvuf-jenkins Test this please |
So there is some regression with this PR on the Linux side. The CI notes two things. First, starting with this change enabled on debian stretch results in
|
84a0922
to
00974ec
Compare
@drakvuf-jenkins Test this please |
Okay, let's sort out the errors line by line. Log message:
/* by default use first device_id */
device_id = std::string(devices_ids[0]);
for (uint32_t i = 0; i < number_of_disks; i++)
{
PRINT_ERROR("[libfs] devices_ids[%d]=%s\n", i, devices_ids[i]);
free(devices_ids[i]);
} Everything is ok here, the program receives one disk and prints its ID.
bool BaseFilesystem::detect_filesystem_start()
{
PRINT_ERROR("[libfs] detect filesystem start\n");
if (drakvuf_get_os_type(drakvuf_) != VMI_OS_LINUX)
return false;
...
}
bool BaseFilesystem::detect_filesystem_start()
{
PRINT_ERROR("[libfs] detect filesystem start\n");
if (drakvuf_get_os_type(drakvuf_) != VMI_OS_LINUX)
return false;
auto mbr = get_struct_from_disk<mbr_t>(ZERO_OFFSET);
PRINT_ERROR("[libfs] read mbr from disk successfully\n");
...
} The program tries to read data from the disk, but gets an error because we don't see the following message Let's look at the status_t get_raw_from_disk(size_t offset, size_t count, void* buffer)
{
auto vmi = vmi_lock_guard(drakvuf_);
return vmi_read_disk(vmi, device_id.c_str(), offset, count, buffer);
}
template <typename T>
std::unique_ptr<T> get_struct_from_disk(size_t offset)
{
std::vector<uint8_t> buffer(sizeof(T));
if (VMI_FAILURE == get_raw_from_disk(offset, sizeof(T), buffer.data()))
{
PRINT_ERROR("[FILEEXTRACTOR] failed to read struct from disk\n");
throw -1;
}
return std::make_unique<T>(*reinterpret_cast<T*>(buffer.data()));
} A simple chain of calls is going on
So, I think that the error is not specifically in my code, because it does not even have time to start working properly, but something with libvmi and the disk structure on ci. Can you tell me what format the disk was created in? |
|
This is what I see in Xenstore:
|
As @skvl mentioned in #1787, adding the fileextractor implementation for linux.
Key features:
There are three main events when a file is extracted from the system:
It is worth considering that if the file was not somehow changed during the analysis, then it will not be extracted to avoid extracting a lot of system files.
In order to avoid caching files at the kernel level, the
do_sys_openat2
call is intercepted and special flags are set.Working with the ext4 file system is located in a separate library specifically in order to be able to add support for other file systems, if necessary.