mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 08:26:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

More line bounds checking

Browse Source
This commit is contained in:
Brian Carrier 2018-03-28 22:05:34 -04:00
parent 90667719ed
commit 4df825e504
1 changed files with 37 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java
View File

@ -384,16 +384,23 @@ class VolatilityProcessor {
return "";
filePath = filePath.trim();
// strip C: and \??\C:
if (filePath.contains(":")) {
filePath = filePath.substring(filePath.indexOf(":") + 1);
}
// change slash direction
filePath = filePath.replaceAll("\\\\", "/");
filePath = filePath.toLowerCase();
// \??\c:\windows ...
if ((filePath.length() > 4) && (filePath.startsWith("/??/"))) {
filePath = filePath.substring(4);
}
// strip C:
if (filePath.contains(":")) {
int index = filePath.indexOf(":");
if (index+1 < filePath.length())
filePath = filePath.substring(index + 1);
}
filePath = filePath.replaceAll("/systemroot/", "/windows/");
// catches 1 type of file in cmdline
filePath = filePath.replaceAll("%systemroot%", "/windows/");
@ -402,7 +409,9 @@ class VolatilityProcessor {
// example: \Device\clfs\Device\HarddiskVolume2\Users\joe\AppData\Local\Microsoft\Windows\UsrClass.dat{e15d4b01-1598-11e8-93e6-080027b5e733}.TM
if (filePath.contains("/harddiskvolume")) {
// 16 advances beyond harddiskvolume and the number
filePath = filePath.substring(filePath.indexOf("/harddiskvolume") + 16);
int index = filePath.indexOf("/harddiskvolume");
if (index+16 < filePath.length())
filePath = filePath.substring(index + 16);
}
// no point returning these. We won't map to them
@ -457,34 +466,12 @@ class VolatilityProcessor {
String line;
while ((line = br.readLine()) != null) {
String TAG = "Command line : ";
if (line.startsWith(TAG)) {
// we skip the Command Line entries because that data
// is also in the 0x lines (and is more likely to have a full path there.
if(line.length() > TAG.length()) {
String file_path;
// Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
// grab whats inbetween the quotes
if (line.charAt(TAG.length()) == '\"') {
file_path = line.substring(TAG.length() + 1);
if (file_path.contains("\"")) {
file_path = file_path.substring(0, file_path.indexOf("\""));
}
}
// Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512
// grab everything before the next space - we don't want arguments
else {
file_path = line.substring(TAG.length());
if (file_path.contains(" ")) {
file_path = file_path.substring(0, file_path.indexOf(" "));
}
}
fileSet.add(normalizePath(file_path));
}
}
// 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe
// 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll
else if (line.startsWith("0x") && line.length() > 33) {
if (line.startsWith("0x") && line.length() > 33) {
// These lines do not have arguments
String file_path = line.substring(33);
fileSet.add(normalizePath(file_path));
@ -506,8 +493,9 @@ class VolatilityProcessor {
// read the first line from the text file
while ((line = br.readLine()) != null) {
try {
String file_path;
file_path = line.substring(41);
if (line.length() < 41)
continue;
String file_path = line.substring(41);
fileSet.add(normalizePath(file_path));
} catch (StringIndexOutOfBoundsException ex) {
// TO DO Catch exception
@ -530,7 +518,7 @@ class VolatilityProcessor {
while ((line = br.readLine()) != null) {
if (line.length() > 16) {
String TAG = "Command line : ";
if (line.startsWith(TAG)) {
if ((line.startsWith(TAG)) && line.length() > TAG.length() + 1) {
String file_path;
// Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
@ -603,6 +591,8 @@ class VolatilityProcessor {
// 0x000000000969a020 notepad.exe 3604 3300 0x16d40340 2018-01-12 14:41:16 UTC+0000
if (line.startsWith("0x") == false)
continue;
if (line.length() < 37)
continue;
String file_path = line.substring(19, 37);
file_path = normalizePath(file_path);
@ -631,8 +621,9 @@ class VolatilityProcessor {
continue;
// 0x89cfb998 csrss.exe 704 640 14 532 0 0 2017-12-07 14:05:34 UTC+0000
String file_path;
file_path = line.substring(10, 34);
if (line.length() < 34)
continue;
String file_path = line.substring(10, 34);
file_path = normalizePath(file_path);
// ignore system, it's not really a path
@ -661,6 +652,8 @@ class VolatilityProcessor {
// 0x09adf980 svchost.exe 1368 True True False True True True True
if (line.startsWith("0x") == false)
continue;
if (line.length() < 34)
continue;
String file_path = line.substring(11, 34);
file_path = normalizePath(file_path);
@ -686,10 +679,12 @@ class VolatilityProcessor {
// read the first line from the text file
while ((line = br.readLine()) != null) {
// ... 0x897e5020:services.exe 772 728 15 287 2017-12-07 14:05:35 UTC+000
String file_path;
String TAG = ":";
if (line.contains(TAG)) {
file_path = line.substring(line.indexOf(":") + 1, 52);
int index = line.indexOf(TAG);
if (line.length() < 52 || index + 1 >= 52)
continue;
String file_path = line.substring(line.indexOf(TAG) + 1, 52);
file_path = normalizePath(file_path);
// ignore system, it's not really a path
@ -716,7 +711,7 @@ class VolatilityProcessor {
while ((line = br.readLine()) != null) {
String file_path;
String TAG = "Binary Path: ";
if (line.startsWith(TAG)) {
if (line.startsWith(TAG) && line.length() > TAG.length()+1) {
if (line.charAt(TAG.length()) == '\"') {
file_path = line.substring(TAG.length()+1);
if (file_path.contains("\"")) {