PhotoRec: recover encrypted file by eCryptfs

This commit is contained in:
Christophe Grenier 2009-10-25 18:37:41 +01:00
parent 5e2419cf2a
commit b646a5ff15
3 changed files with 93 additions and 0 deletions

View file

@ -81,6 +81,7 @@ file_C = filegen.c \
file_dxf.c \
file_e01.c \
file_edb.c \
file_ecryptfs.c \
file_elf.c \
file_emf.c \
file_evt.c \

90
src/file_ecryptfs.c Normal file
View file

@ -0,0 +1,90 @@
/*
File: file_ecryptfs.c
Copyright (C) 2009 Christophe GRENIER <grenier@cgsecurity.org>
This software is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write the Free Software Foundation, Inc., 51
Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef HAVE_STRING_H
#include <string.h>
#endif
#include <stdio.h>
#include "types.h"
#include "filegen.h"
#include "common.h"
static void register_header_check_ecryptfs(file_stat_t *file_stat);
static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
const file_hint_t file_hint_ecryptfs= {
.extension="eCryptfs",
.description="Encrypted file by eCryptfs",
.min_header_distance=0,
.max_filesize=PHOTOREC_MAX_FILE_SIZE,
.recover=1,
.enable_by_default=1,
.register_header_check=&register_header_check_ecryptfs
};
static const unsigned char ecryptfs_header[2]= {0, 0};
struct ecrypfs_header {
uint64_t unencrypted_file_size;
uint32_t marker1;
uint32_t marker2;
unsigned char version;
unsigned char reserved1;
unsigned char reserved2;
uint32_t flags;
} __attribute__ ((__packed__));
static void register_header_check_ecryptfs(file_stat_t *file_stat)
{
register_header_check(0, ecryptfs_header, sizeof(ecryptfs_header), &header_check_ecryptfs, file_stat);
}
static void file_check_ecryptfs(file_recovery_t *file_recovery)
{
if(file_recovery->file_size < file_recovery->calculated_file_size)
file_recovery->file_size=0;
else if(file_recovery->file_size > file_recovery->calculated_file_size+1024*1024)
file_recovery->file_size=file_recovery->calculated_file_size+1024*1024;
}
static int header_check_ecryptfs(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
{
const struct ecrypfs_header *e=(const struct ecrypfs_header *)buffer;
if((be32(e->marker1) ^ be32(e->marker2)) == 0x3c81b7f5)
{
reset_file_recovery(file_recovery_new);
#ifdef DJGPP
file_recovery_new->extension="ecr";
#else
file_recovery_new->extension=file_hint_ecryptfs.extension;
#endif
file_recovery_new->min_filesize=be64(e->unencrypted_file_size);
file_recovery_new->calculated_file_size=be64(e->unencrypted_file_size);
file_recovery_new->data_check=NULL;
file_recovery_new->file_check=&file_check_ecryptfs;
return 1;
}
return 0;
}

View file

@ -82,6 +82,7 @@ extern const file_hint_t file_hint_dv;
extern const file_hint_t file_hint_dwg;
extern const file_hint_t file_hint_dxf;
extern const file_hint_t file_hint_e01;
extern const file_hint_t file_hint_ecryptfs;
extern const file_hint_t file_hint_edb;
extern const file_hint_t file_hint_elf;
extern const file_hint_t file_hint_emf;
@ -277,6 +278,7 @@ file_enable_t list_file_enable[]=
{ .enable=0, .file_hint=&file_hint_dwg },
{ .enable=0, .file_hint=&file_hint_dxf },
{ .enable=0, .file_hint=&file_hint_e01 },
{ .enable=0, .file_hint=&file_hint_ecryptfs },
{ .enable=0, .file_hint=&file_hint_edb },
{ .enable=0, .file_hint=&file_hint_elf },
{ .enable=0, .file_hint=&file_hint_emf },