calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '496d2eaee8'
${ noResults }
gentoo-overlay/app-forensics/foremost/files/foremost-1.5.7-set-but-unus...

231 lines
7.5 KiB
Raw Blame History

diff --git a/api.c b/api.c
index e3ee339..67463a6 100755
--- a/api.c
+++ b/api.c
@@ -478,7 +478,7 @@ int dump_dirent(int which_one)
{
int i;
char *p;
- short unknown;
+ // short unknown;
struct OLE_DIR *dir;
dir = (struct OLE_DIR *) &buffer[which_one * sizeof(struct OLE_DIR)];
@@ -493,7 +493,7 @@ int dump_dirent(int which_one)
p = dir->name;
if (*p < ' ')
{
- unknown = *((short *)p);
+ //unknown = *((short *)p);
//fprintf (stderr, "%04x\t", unknown);
p += 2; /* step over unknown short */
diff --git a/engine.c b/engine.c
index 85add5f..4a1ef13 100755
--- a/engine.c
+++ b/engine.c
@@ -316,7 +316,6 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
//u_int64_t buf_off = 0;
unsigned char *foundat = buf;
- unsigned char *current_pos = NULL;
unsigned char *header_pos = NULL;
unsigned char *newbuf = NULL;
unsigned char *ind_ptr = NULL;
@@ -461,7 +460,6 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
}
c_offset = (foundat - buf);
- current_pos = foundat;
/*Now lets analyze the file and see if we can determine its size*/
@@ -511,12 +509,12 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
newbuf = read_from_disk(c_offset + f_offset, i, needle->max_len);
if (newbuf == NULL)
break;
- current_pos = extract_file(s,
- c_offset,
- newbuf,
- needle->max_len,
- needle,
- f_offset);
+ extract_file(s,
+ c_offset,
+ newbuf,
+ needle->max_len,
+ needle,
+ f_offset);
/*Lets put the fp back*/
fseeko(i->handle, saveme, SEEK_SET);
diff --git a/extract.c b/extract.c
index 9639117..4fecde5 100755
--- a/extract.c
+++ b/extract.c
@@ -553,7 +553,6 @@ unsigned char *extract_htm(f_state *s, u_int64_t c_offset, unsigned char *founda
{
unsigned char *buf = foundat;
unsigned char *extractbuf = NULL;
- unsigned char *currentpos = NULL;
int bytes_to_search = 0;
int i = 0;
@@ -582,7 +581,6 @@ unsigned char *extract_htm(f_state *s, u_int64_t c_offset, unsigned char *founda
}
/*Store the current position and search for the HTML> tag*/
- currentpos = foundat;
foundat = bm_search(needle->footer,
needle->footer_len,
foundat,
@@ -1146,15 +1144,15 @@ unsigned char *extract_mov(f_state *s, u_int64_t c_offset, unsigned char *founda
unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *foundat, u_int64_t buflen,
s_spec *needle, u_int64_t f_offset)
{
-
- unsigned char *currentpos = NULL;
+#ifdef DEBUG
+ u_int64_t fileObjHeaderSize = 0;
+#endif
unsigned char *header = foundat;
unsigned char *extractbuf = NULL;
unsigned char *buf = foundat;
unsigned int size = 0;
u_int64_t file_size = 0;
u_int64_t headerSize = 0;
- u_int64_t fileObjHeaderSize = 0;
int numberofHeaderObjects = 0;
int reserved[2];
int bytes_to_search = 0;
@@ -1184,7 +1182,6 @@ unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *founda
return foundat;
}
- currentpos = foundat;
if (buflen - (foundat - buf) >= needle->max_len)
bytes_to_search = needle->max_len;
else
@@ -1201,7 +1198,9 @@ unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *founda
if (foundat)
{
foundat += 16; /*jump to the headersize*/
+#ifdef DEBUG
fileObjHeaderSize = htoll(foundat, FOREMOST_LITTLE_ENDIAN);
+#endif
//printx(foundat,0,8);
foundat += 24; //Jump to the file size obj
size = htoi(foundat, FOREMOST_LITTLE_ENDIAN);
@@ -1401,7 +1400,6 @@ unsigned char *extract_gif(f_state *s, u_int64_t c_offset, unsigned char *founda
s_spec *needle, u_int64_t f_offset)
{
unsigned char *buf = foundat;
- unsigned char *currentpos = foundat;
unsigned char *extractbuf = NULL;
int bytes_to_search = 0;
unsigned short width = 0;
@@ -1420,7 +1418,6 @@ unsigned char *extract_gif(f_state *s, u_int64_t c_offset, unsigned char *founda
sprintf(comment, " (%d x %d)", width, height);
strcat(needle->comment, comment);
- currentpos = foundat;
if (buflen - (foundat - buf) >= needle->max_len)
bytes_to_search = needle->max_len;
else
@@ -1821,7 +1818,6 @@ unsigned char *extract_jpeg(f_state *s, u_int64_t c_offset, unsigned char *found
s_spec *needle, u_int64_t f_offset)
{
unsigned char *buf = foundat;
- unsigned char *currentpos = NULL;
unsigned char *extractbuf = NULL;
unsigned short headersize;
@@ -1899,8 +1895,6 @@ unsigned char *extract_jpeg(f_state *s, u_int64_t c_offset, unsigned char *found
return buf + needle->header_len;
}
- currentpos = foundat;
-
//sprintf("Searching for footer\n");
if (buflen < (foundat - buf)) {
#ifdef DEBUG
@@ -2094,19 +2088,21 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
unsigned char *extractbuf = NULL;
u_int64_t file_size = 0;
unsigned short pe_offset = 0;
- unsigned int SizeOfCode = 0;
- unsigned int SizeOfInitializedData = 0;
- unsigned int SizeOfUninitializedData = 0;
- unsigned int rva = 0;
unsigned int offset = 0;
unsigned short sections = 0;
- unsigned int sizeofimage = 0;
unsigned int raw_section_size = 0;
- unsigned int size_of_headers = 0;
unsigned short dll = 0;
unsigned int sum = 0;
unsigned short exe_char = 0;
+#ifdef DEBUG
+ unsigned int SizeOfInitializedData = 0;
+ unsigned int SizeOfUninitializedData = 0;
+ unsigned int SizeOfCode = 0;
+ unsigned int rva = 0;
+ unsigned int sizeofimage = 0;
+ unsigned int size_of_headers = 0;
unsigned int align = 0;
+#endif
int i = 0;
time_t compile_time = 0;
struct tm *ret_time;
@@ -2167,14 +2163,16 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
foundat += 0x18; /*Jump to opt header should be 0x0b 0x01*/
+#ifdef DEBUG
SizeOfCode = htoi(&foundat[4], FOREMOST_LITTLE_ENDIAN);
SizeOfInitializedData = htoi(&foundat[8], FOREMOST_LITTLE_ENDIAN);
SizeOfUninitializedData = htoi(&foundat[12], FOREMOST_LITTLE_ENDIAN);
rva = htoi(&foundat[16], FOREMOST_LITTLE_ENDIAN);
align = htoi(&foundat[36], FOREMOST_LITTLE_ENDIAN);
-
sizeofimage = htoi(&foundat[56], FOREMOST_LITTLE_ENDIAN);
size_of_headers = htoi(&foundat[60], FOREMOST_LITTLE_ENDIAN);
+#endif
+
foundat += 224;
/*Start of sections*/
@@ -2193,13 +2191,13 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
sum = offset + raw_section_size;
}
- /*
+#ifdef DEBUG
printf("rva is %d sum= %d\n",rva,sum);
printf("soi is %d,soh is %d \n",sizeofimage,size_of_headers);
printf("we are off by %d\n",sum-buflen);
printf("soc=%d ,soidr=%d, souid=%d\n",SizeOfCode,SizeOfInitializedData,SizeOfUninitializedData);
printf("fs=%d ,extr=%d\n",SizeOfCode+SizeOfInitializedData,SizeOfUninitializedData);
- */
+#endif
file_size = sum;
if (file_size < 512 || file_size > 4 * MEGABYTE)
{
@@ -2267,7 +2265,6 @@ unsigned char *extract_rar(f_state *s, u_int64_t c_offset, unsigned char *founda
{
unsigned char *buf = foundat;
unsigned char *extractbuf = NULL;
- u_int64_t file_size = 0;
unsigned short headersize = 0;
unsigned short flags = 0;
unsigned int filesize = 0;
@@ -2424,8 +2421,6 @@ unsigned char *extract_rar(f_state *s, u_int64_t c_offset, unsigned char *founda
/*We found the EOF, write the file to disk and return*/
tot_file_size = (foundat - buf);
- if (tot_file_size > buflen)
- file_size = buflen;
extractbuf = buf;
write_to_disk(s, needle, tot_file_size, extractbuf, c_offset + f_offset);
Reference in new issue View Git Blame Copy Permalink