denyhosts/clamscan/libclamav/hfsplus.h
2022-10-22 18:41:00 +08:00

363 lines
9.7 KiB
C

/*
* Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2013 Sourcefire, Inc.
*
* Authors: David Raynor <draynor@sourcefire.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#ifndef __HFSPLUS_H
#define __HFSPLUS_H
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include "clamav-types.h"
/* Structures based on Apple Technote 1150 */
/* volume attributes that may affect reading */
enum hfsVolAttributes {
/* hfsVolumeHardwareLockBit = 7, */
hfsVolumeUnmountedBit = 8,
hfsVolumeSparedBlocksBit = 9,
/* hfsVolumeNoCacheRequiredBit = 10, */
hfsBootVolumeInconsistentBit = 11,
hfsCatalogNodeIDsReusedBit = 12,
hfsVolumeJournaledBit = 13
/* hfsVolumeSoftwareLockBit = 15 */
};
/* reserved CatalogNodeID values */
enum {
hfsRootParentID = 1,
hfsRootFolderID = 2,
hfsExtentsFileID = 3,
hfsCatalogFileID = 4,
hfsBadBlockFileID = 5,
hfsAllocationFileID = 6,
hfsStartupFileID = 7,
hfsAttributesFileID = 8,
hfsRepairCatalogFileID = 14,
hfsBogusExtentFileID = 15,
hfsFirstUserCatalogNodeID = 16
};
#ifndef HAVE_ATTRIB_PACKED
#define __attribute__(x)
#endif
#ifdef HAVE_PRAGMA_PACK
#pragma pack(2)
#endif
#ifdef HAVE_PRAGMA_PACK_HPPA
#pragma pack 2
#endif
/* Basic HFS+ structures */
struct hfsUniStr255 {
uint16_t length;
uint16_t unicode[255];
} __attribute__((__packed__));
typedef struct hfsUniStr255 hfsUniStr255;
struct hfsPlusExtentDescriptor {
uint32_t startBlock;
uint32_t blockCount;
} __attribute__((__packed__));
typedef struct hfsPlusExtentDescriptor hfsPlusExtentDescriptor;
typedef hfsPlusExtentDescriptor hfsPlusExtentRecord[8];
struct hfsPlusForkData {
uint64_t logicalSize;
uint32_t clumpSize;
uint32_t totalBlocks;
hfsPlusExtentRecord extents;
} __attribute__((__packed__));
typedef struct hfsPlusForkData hfsPlusForkData;
/* HFS+ Volume Header (512 bytes) */
struct hfsPlusVolumeHeader {
uint16_t signature; /* H+ for HFS+, HX for HFSX */
uint16_t version;
uint32_t attributes;
uint32_t lastMountedVersion;
uint32_t journalInfoBlock;
uint32_t createDate;
uint32_t modifyDate;
uint32_t backupDate;
uint32_t checkedDate;
uint32_t fileCount;
uint32_t folderCount;
uint32_t blockSize;
uint32_t totalBlocks;
uint32_t freeBlocks;
uint32_t nextAllocation;
uint32_t rsrcClumpSize;
uint32_t dataClumpSize;
uint32_t nextCatalogID; /* Next unused catalog ID */
uint32_t writeCount;
uint64_t encodingsBitmap;
uint32_t finderInfo[8]; /* for Finder */
hfsPlusForkData allocationFile;
hfsPlusForkData extentsFile;
hfsPlusForkData catalogFile;
hfsPlusForkData attributesFile;
hfsPlusForkData startupFile;
} __attribute__((__packed__));
typedef struct hfsPlusVolumeHeader hfsPlusVolumeHeader;
#define HFS_FILETREE_ALLOCATION 1
#define HFS_FILETREE_EXTENTS 2
#define HFS_FILETREE_CATALOG 3
#define HFS_FILETREE_ATTRIBUTES 4
#define HFS_FILETREE_STARTUP 5
/* BSD object info (16 bytes) */
/* important parts for scanning are fileMode and the special part */
struct hfsPlusBSDInfo {
uint32_t ownerID;
uint32_t groupID;
uint8_t adminFlags;
uint8_t ownerFlags;
uint16_t fileMode;
union {
uint32_t iNodeNum;
uint32_t linkCount;
uint32_t rawDevice;
} special;
} __attribute__((__packed__));
typedef struct hfsPlusBSDInfo hfsPlusBSDInfo;
#define HFS_MODE_TYPEMASK 0170000
#define HFS_MODE_DIRECTORY 0040000
#define HFS_MODE_FILE 0100000
#define HFS_MODE_SOFTLINK 0120000
/******************************/
/* Node and tree structures */
/******************************/
/* B-tree node descriptor (14 bytes) */
struct hfsNodeDescriptor {
uint32_t fLink;
uint32_t bLink;
int8_t kind;
uint8_t height;
uint16_t numRecords;
uint16_t reserved;
} __attribute__((__packed__));
typedef struct hfsNodeDescriptor hfsNodeDescriptor;
/* Node kinds are int8_t */
#define HFS_NODEKIND_LEAF -1
#define HFS_NODEKIND_INDEX 0
#define HFS_NODEKIND_HEADER 1
#define HFS_NODEKIND_MAP 2
/* B-tree header record (106 bytes) */
struct hfsHeaderRecord {
uint16_t treeDepth;
uint32_t rootNode;
uint32_t leafRecords;
uint32_t firstLeafNode;
uint32_t lastLeafNode;
uint16_t nodeSize;
uint16_t maxKeyLength;
uint32_t totalNodes;
uint32_t freeNodes;
uint16_t reserved1;
uint32_t clumpSize;
uint8_t btreeType;
uint8_t keyCompareType;
uint32_t attributes;
uint32_t reserved3[16];
} __attribute__((__packed__));
typedef struct hfsHeaderRecord hfsHeaderRecord;
#define HFS_HEADERATTR_MASK 0x00000006
#define HFS_HEADERATTR_BIGKEYS 0x00000002
#define HFS_HEADERATTR_VARKEYS 0x00000004
struct hfsPlusCatalogKey {
uint16_t keyLength;
uint32_t parentID; /* CNID */
hfsUniStr255 nodeName;
} __attribute__((__packed__));
typedef struct hfsPlusCatalogKey hfsPlusCatalogKey;
struct hfsPlusCatalogFolder {
int16_t recordType;
uint16_t flags;
uint32_t valence;
uint32_t folderID; /* CNID */
uint32_t dates[5];
hfsPlusBSDInfo permissions;
uint16_t userInfo[8]; /* FolderInfo */
uint16_t finderInfo[8]; /* ExtendedFolderInfo */
uint32_t textEncoding;
uint32_t reserved;
} __attribute__((__packed__));
typedef struct hfsPlusCatalogFolder hfsPlusCatalogFolder;
struct hfsPlusCatalogFile {
int16_t recordType;
uint16_t flags;
uint32_t reserved1;
uint32_t fileID; /* CNID */
uint32_t dates[5];
hfsPlusBSDInfo permissions;
uint16_t userInfo[8]; /* FileInfo */
uint16_t finderInfo[8]; /* ExtendedFileInfo */
uint32_t textEncoding;
uint32_t reserved2;
hfsPlusForkData dataFork;
hfsPlusForkData resourceFork;
};
typedef struct hfsPlusCatalogFile hfsPlusCatalogFile;
struct hfsPlusCatalogThread {
int16_t recordType;
int16_t reserved;
uint32_t parentID; /* CNID */
hfsUniStr255 nodeName;
} __attribute__((__packed__));
typedef struct hfsPlusCatalogThread hfsPlusCatalogThread;
#define HFSPLUS_RECTYPE_FOLDER 0x0001
#define HFSPLUS_RECTYPE_FILE 0x0002
#define HFSPLUS_RECTYPE_FOLDERTHREAD 0x0003
#define HFSPLUS_RECTYPE_FILETHREAD 0x0004
#define HFSPLUS_RECTYPE_INLINE_DATA_ATTRIBUTE 0x0010
/* HFS types are similar
#define HFS_RECTYPE_FOLDER 0x0100
#define HFS_RECTYPE_FILE 0x0200
#define HFS_RECTYPE_FOLDERTHREAD 0x0300
#define HFS_RECTYPE_FILETHREAD 0x0400
*/
#define HFS_HARD_LINK_FILE_TYPE 0x686C6E6B /* hlnk */
/* Extents structures */
struct hfsPlusExtentKey {
uint16_t keyLength;
uint8_t forkType;
uint8_t pad;
uint32_t fileID; /* CNID */
uint32_t startBlock;
} __attribute__((__packed__));
typedef struct hfsPlusExtentKey hfsPlusExtentKey;
#define HFSPLUS_FORKTYPE_DATA 0x00
#define HFSPLUS_FORKTYPE_RSRC 0xFF
/* Attribute structures */
struct hfsPlusAttributeKey {
uint16_t keyLength;
uint16_t pad;
uint32_t cnid;
uint32_t startBlock;
uint16_t nameLength;
} __attribute__((__packed__));
typedef struct hfsPlusAttributeKey hfsPlusAttributeKey;
struct hfsPlusAttributeRecord {
uint32_t recordType;
uint32_t reserved1;
uint32_t reserved2;
uint32_t attributeSize;
} __attribute__((__packed__));
typedef struct hfsPlusAttributeRecord hfsPlusAttributeRecord;
struct hfsPlusCompressionHeader {
uint32_t magic;
uint32_t compressionType;
uint64_t fileSize;
} __attribute__((__packed__));
typedef struct hfsPlusCompressionHeader hfsPlusCompressionHeader;
/* Resource structures */
struct hfsPlusResourceHeader {
uint32_t dataOffset;
uint32_t mapOffset;
uint32_t dataLength;
uint32_t mapLength;
} __attribute__((__packed__));
typedef struct hfsPlusResourceHeader hfsPlusResourceHeader;
struct hfsPlusResourceMap {
uint8_t reserved1[16];
uint32_t reserved2;
uint16_t reserved3;
uint16_t resourceForkAttributes;
uint16_t typeListOffset;
uint16_t nameListOffset;
int16_t typeCount;
} __attribute__((__packed__));
typedef struct hfsPlusResourceMap hfsPlusResourceMap;
struct hfsPlusResourceType {
char type[4];
uint16_t instanceCount;
uint16_t referenceListOffset;
} __attribute__((__packed__));
typedef struct hfsPlusResourceType hfsPlusResourceType;
struct hfsPlusReferenceEntry {
uint16_t resourceId;
int16_t resourceNameOffset;
uint8_t resourceAttributes;
uint8_t resourceDataOffset[3];
uint32_t reserved1;
} __attribute__((__packed__));
typedef struct hfsPlusReferenceEntry hfsPlusReferenceEntry;
struct hfsPlusResourceBlockTable {
uint32_t offset;
uint32_t length;
} __attribute__((__packed__));
typedef struct hfsPlusResourceBlockTable hfsPlusResourceBlockTable;
#define HFSPLUS_COMPRESSION_INLINE 0x03
#define HFSPLUS_COMPRESSION_RESOURCE 0x04
#ifdef HAVE_PRAGMA_PACK
#pragma pack()
#endif
#ifdef HAVE_PRAGMA_PACK_HPPA
#pragma pack
#endif
#define HFS_VOL_INCONSISTENT(hdr) \
((hdr->attributes & (1 << hfsBootVolumeInconsistentBit)) || !(hdr->attributes & (1 << hfsVolumeUnmountedBit)))
/* Maximum number of catalog leaf nodes to scan for records */
#define HFSPLUS_NODE_LIMIT 1000
cl_error_t cli_scanhfsplus(cli_ctx *ctx);
#endif