Re: [ntfs-3g-devel] Intelligent hexdump for secaudit

Ulf Zibis Sun, 07 Feb 2016 10:53:14 -0800

Hi Jean-Pierre,

I have optimised the patch again a little ... see attachment.


-Ulf


Am 30.01.2016 um 14:16 schrieb Jean-Pierre André:

Hi,

Ulf Zibis wrote:

Hi,

I have coded a patch for a better hexdump.

Benefit:
Ability for expressive comparisons with diff tools.


Thanks, I will integrate this as an option in a future version.



[...]

# HG changeset patch
# User Ulf Zibis
# Date 1454108501 -3600
#      Sat Jan 30 00:01:41 2016 +0100
# Node ID 598cf6acbc29ebc92a67873573a381f15945de72
# Parent  08179df8a3fb0196d92100f80ad44995dc4034fd
Intelligent hexdump

diff --git a/src/secaudit.c b/src/secaudit.c
--- a/src/secaudit.c
+++ b/src/secaudit.c
@@ -212,7 +212,10 @@
  *     - decoded more "well-known" and generic SIDs
  *     - showed Windows ownership in verbose situations
  *     - fixed apparent const violations
- */
+ *
+ *  Jan 2016, version 1.4.3
+ *     - intelligent hexdump (Ulf Zibis)
+*/
 
 /*
  * This program is free software; you can redistribute it and/or modify
@@ -235,7 +238,7 @@
  *		General parameters which may have to be adapted to needs
  */
 
-#define AUDT_VERSION "1.4.2"
+#define AUDT_VERSION "1.4.3"
 
 #define GET_FILE_SECURITY "ntfs_get_file_security"
 #define SET_FILE_SECURITY "ntfs_set_file_security"
@@ -908,14 +911,22 @@
 
 void hexdump(const char *attr, int size, int level)
 {
-	int i,j;
-
-	for (i=0; i<size; i+=16) {
+	int offUSID = (int)get4l(attr,4);
+	int offGSID = (int)get4l(attr,8);
+	int offSACL = (int)get4l(attr,12);
+	int offDACL = (int)get4l(attr,16);
+	int i, next;
+	BOOL isSID = FALSE;
+
+	for (i=0, next=0x14; i<size; next+=0x8) {
+		if (isSID)
+			next += attr[i+1] * 4;
+		isSID = !isSID && i != 0 && i != offSACL && i != offDACL || next == offUSID || next == offGSID;
 		if (level)
 			printf("%*c",level,' ');
-		printf("%06x ",i);
-		for (j=i; (j<(i+16)) && (j<size); j++)
-			printf((j & 3 ? "%02x" : " %02x"),attr[j] & 255);
+		printf((size <= 0x100 ? "%02x " : size <= 0x10000 ? "%04x " : "%06x "),i);
+		for (; i<next && i<size; i++)
+			printf((i & 3 ? "%02x" : " %02x"),attr[i] & 255);
 		printf("\n");
 	}
 }
# HG changeset patch
# User Ulf Zibis
# Date 1454109602 -3600
#      Sat Jan 30 00:20:02 2016 +0100
# Node ID 1ebc5924fafa24158a962d17485468466c2b6cc6
# Parent  598cf6acbc29ebc92a67873573a381f15945de72
Reduced indentation level for hexdump

diff --git a/src/secaudit.c b/src/secaudit.c
--- a/src/secaudit.c
+++ b/src/secaudit.c
@@ -3118,7 +3118,7 @@
 			isdir,(SID*)owner_sid,(SID*)group_sid);
 	if (attr && ntfs_valid_descr(attr, ntfs_attr_size(attr))) {
 		if (opt_v)
-			hexdump(attr,ntfs_attr_size(attr),8);
+			hexdump(attr,ntfs_attr_size(attr),0);
 		if (opt_v >= 2) {
 			showheader(attr,4);
 			showusid(attr,4);
@@ -3829,7 +3829,7 @@
 			printf("** no or wrong permission settings "
 				"for kind %d perm %03o\n",kind,perm);
 			if (attr && opt_v)
-				hexdump(attr,ntfs_attr_size(attr),8);
+				hexdump(attr,ntfs_attr_size(attr),0);
 			if (attr && (opt_v >= 2)) {
 				showheader(attr,4);
 				showusid(attr,4);
@@ -3850,7 +3850,7 @@
 				"kind %d perm 0%03o, gotback %03o\n",
 				kind, perm, gotback);
 			if (opt_v)
-				hexdump(pxattr,ntfs_attr_size(pxattr),8);
+				hexdump(pxattr,ntfs_attr_size(pxattr),0);
 			if (opt_v >= 2) {
 				showheader(pxattr,4);
 				showusid(pxattr,4);
@@ -3870,7 +3870,7 @@
 				"kind %d perm 0%03o, gotback %03o\n",
 				kind, perm, gotback);
 			if (opt_v)
-				hexdump(attr,ntfs_attr_size(attr),8);
+				hexdump(attr,ntfs_attr_size(attr),0);
 			if (opt_v >= 2) {
 				showheader(attr,4);
 				showusid(attr,4);
@@ -5024,7 +5024,7 @@
 	attrsz = getfull(attr, fullname);
 	if (attrsz) {
 			if (opt_v || opt_b) {
-				hexdump(attr,attrsz,8);
+				hexdump(attr,attrsz,0);
 				printf("Computed hash : 0x%08lx\n",
 					(unsigned long)hash((le32*)attr,attrsz));
 			}
@@ -5381,7 +5381,7 @@
 				   || !psecurdata
 				   || (!psecurdata->filecount
 					&& !psecurdata->flags))) {
-				hexdump(attr,attrsz,8);
+				hexdump(attr,attrsz,0);
 				printf("Computed hash : 0x%08lx\n",
 					(unsigned long)hash((le32*)attr,attrsz));
 			}
@@ -5586,7 +5586,7 @@
 		attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ);
 		if (attrsz > 0) {
 			if (opt_v) {
-				hexdump(attr,attrsz,8);
+				hexdump(attr,attrsz,0);
 				printf("Computed hash : 0x%08lx\n",
 					(unsigned long)hash((le32*)attr,attrsz));
 			}
@@ -5679,7 +5679,7 @@
 		attrsz = ntfs_getxattr(fullname,"system.ntfs_acl",attr,MAXATTRSZ);
 		if (attrsz > 0) {
 			if (opt_v) {
-				hexdump(attr,attrsz,8);
+				hexdump(attr,attrsz,0);
 				printf("Computed hash : 0x%08lx\n",
 					(unsigned long)hash((le32*)attr,attrsz));
 			}
@@ -6268,7 +6268,7 @@
 			else {
 				if (opt_v) {
 					printf("Entry size %d bytes\n",entrysz);
-					hexdump(&attr[20],size,8);
+					hexdump(&attr[20],size,0);
 				}
 
 				unsane = !valid_sds(attr,offset,entrysz,
# HG changeset patch
# User Ulf Zibis
# Date 1454813984 -3600
#      Sun Feb 07 03:59:44 2016 +0100
# Node ID 15e230255bfb0d70efe200d96c1f7890203b8d5e
# Parent  1ebc5924fafa24158a962d17485468466c2b6cc6
Optimized hexdump

diff --git a/src/secaudit.c b/src/secaudit.c
--- a/src/secaudit.c
+++ b/src/secaudit.c
@@ -215,7 +215,7 @@
  *
  *  Jan 2016, version 1.4.3
  *     - intelligent hexdump (Ulf Zibis)
-*/
+ */
 
 /*
  * This program is free software; you can redistribute it and/or modify
@@ -916,12 +916,11 @@
 	int offSACL = (int)get4l(attr,12);
 	int offDACL = (int)get4l(attr,16);
 	int i, next;
-	BOOL isSID = FALSE;
-
-	for (i=0, next=0x14; i<size; next+=0x8) {
-		if (isSID)
-			next += attr[i+1] * 4;
-		isSID = !isSID && i != 0 && i != offSACL && i != offDACL || next == offUSID || next == offGSID;
+	BOOL isSID;
+
+	for (i=0, next=0x14, isSID=FALSE; i<size;
+			next += 0x8 + (isSID ? attr[i+1]*4 : 0),
+			isSID = !isSID && i != offSACL && i != offDACL || next == offUSID || next == offGSID) {
 		if (level)
 			printf("%*c",level,' ');
 		printf((size <= 0x100 ? "%02x " : size <= 0x10000 ? "%04x " : "%06x "),i);
@@ -1019,8 +1018,7 @@
 					if (utf16[i+1] & 4)
 						state = ERR;
 					else {
-						utf8[size++] = 0xf0 + (utf16[i+1] & 7)
-                                                                    + ((utf16[i] & 0xc0) == 0xc0);
+						utf8[size++] = 0xf0 + (utf16[i+1] & 7) + ((utf16[i] & 0xc0) == 0xc0);
 						utf8[size++] = 0x80 + (((utf16[i] + 64) >> 2) & 63);
 						rem = utf16[i] & 3;
 						state = SURR;

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
ntfs-3g-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ntfs-3g-devel

Re: [ntfs-3g-devel] Intelligent hexdump for secaudit

Reply via email to