From 655990956284dbb9846ef94865f2538f5d3d35c3 Mon Sep 17 00:00:00 2001 From: Ludovic Pouzenc Date: Sun, 30 Aug 2015 10:17:18 +0200 Subject: find_bootsect : improvement against false positives, need configurable settings --- mytasks.py | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/mytasks.py b/mytasks.py index 21ae365..9ec623c 100644 --- a/mytasks.py +++ b/mytasks.py @@ -59,7 +59,8 @@ def do_find_files(d,state): # Hash in memory the whole read sector and store it's provenance ref_big_hash[data] = (ref_no, ref_offset) - start = 0 + start = 0 # FIXME : make it tunable + start = 0x00132870000 end = min(d.disks_size) one_per_thousand = (end - start) / 1000 one_per_thousand = one_per_thousand + ( (-one_per_thousand)%512 ) @@ -205,34 +206,41 @@ def do_find_bootsect(d,state): try: state['state'] = 'initializing' ref_sig = binascii.unhexlify('55AA') + ref_bootflags = ( binascii.unhexlify('00'), binascii.unhexlify('80') ) + ref_parttypes = ( binascii.unhexlify('FB'), binascii.unhexlify('FC') ) start = 0 end = min(d.disks_size) - one_percent = (end - start) / 100 - one_percent = one_percent + ( (-one_percent)%512 ) - logging.debug("start/end/1pc : %i / %i / %i"%(start,end,one_percent)) + one_per_thousand = (end - start) / 1000 + one_per_thousand = one_per_thousand + ( (-one_per_thousand)%512 ) + logging.debug("start/end/1pc : %i / %i / %i"%(start,end,one_per_thousand)) state['found'] = [] - state['progress'] = 0 + state['progress'] = 0.0 state['state'] = 'searching' for offset in xrange(start, end, 512): for disk_no in range(d.disk_count): d.disks[disk_no].seek(offset) data = d.disks[disk_no].read(512) - sig = data[510:] - if sig == ref_sig: - f = state['found'] - if len(f) < 200: - f.append((disk_no,offset)) - state['found'] = f - else: - state['state'] = 'aborted' - raise Exception('Aborting after too many matches') + if data[0x1fe:] == ref_sig: # Found magic 55AA + logging.debug("find_bootsect : found Magic at '%s'@0x%011x (%s)"%(disk_no,offset,binascii.hexlify(data[0x1be+0x0]))) + if data[0x1be+0x0] in ref_bootflags: # Partition 1 : valid flags for bootable + logging.debug("find_bootsect : found correct part1 flag byte at '%s'@0x%011x"%(disk_no,offset)) + # FIXME : make part type detection parametrable + if data[0x1be+0x4] in ref_parttypes: # Partition 1 : type VMWare + logging.debug("find_bootsect : found correct part1 type at '%s'@0x%011x"%(disk_no,offset)) + f = state['found'] + if len(f) < 200: + f.append((disk_no,offset)) + state['found'] = f + else: + state['state'] = 'aborted' + raise Exception('Aborting after too many matches') - if offset % one_percent == 0: - state['progress'] = state['progress'] + 1 + if offset % one_per_thousand == 0: + state['progress'] = state['progress'] + 0.1 - state['progress'] = 100 + state['progress'] = 100.0 state['state'] = 'finished' except Exception as e: logging.exception(e) -- cgit v1.2.3