On 09/05/17 16:48, Pino Toscano wrote:
The current need for #ifdef's based on the presence of
PyString_FromString makes both the OCaml code of the generator, and the
generated C code a mess to read.
Hence, add three simple wrappers to make both the OCaml, and C code more
readable, and easier to
2017-04-24 11:58 GMT+03:00 Richard W.M. Jones :
> On Sun, Apr 23, 2017 at 07:49:56PM +0300, Matteo Cafasso wrote:
> > + if (r == -1) { /* write error */
> > +err = errno;
> > +r = cancel_receive ();
>
> You need to use ignore_value here, and it needs to be
2017-02-21 16:32 GMT+02:00 Pino Toscano <ptosc...@redhat.com>:
> On Monday, 20 February 2017 13:46:29 CET NoxDaFox wrote:
> > 2017-02-20 12:26 GMT+02:00 Daniel P. Berrange <berra...@redhat.com>:
> >
> > > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo C
2017-02-20 12:26 GMT+02:00 Daniel P. Berrange :
> On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo Cafasso wrote:
> > Rebase patches on top of 1.35.25.
> >
> > No changes since last series.
>
> Can you explain the motivation behind adding the APis to libguestfs ?
>
> Since
On 24/11/16 17:42, Pino Toscano wrote:
On Tuesday, 22 November 2016 19:41:10 CET noxdafox wrote:
yara_load supports loading rules already compiled, which could have a
namespace set -- I guess it should be reported here as well.
The namespace is accessible via the YR_RULE struct:
https
On 21/11/16 18:27, Pino Toscano wrote:
On Wednesday, 9 November 2016 22:38:53 CET Matteo Cafasso wrote:
The yara_load API allows to load a set of Yara rules contained within a
file on the host.
Rules can be in binary format, as when compiled with yarac command, or
in source code format. In the
Ok on most of the comments, only few notes on the last one.
On 22/11/16 11:04, Pino Toscano wrote:
On Wednesday, 9 November 2016 22:38:55 CET Matteo Cafasso wrote:
The internal_yara_scan runs the Yara engine with the previously loaded
rules against the given file.
For each rule matching
2016-10-11 11:56 GMT+03:00 Pino Toscano :
> On Saturday, 8 October 2016 18:27:21 CEST Matteo Cafasso wrote:
> > Patch ready for merging.
> >
> > v4:
> >
> > - check return code of tsk_fs_attr_walk
> > - pass TSK_FS_FILE_WALK_FLAG_NOSPARSE as additional flag to
> >
2016-09-23 11:52 GMT+03:00 Pino Toscano :
> On Tuesday, 20 September 2016 16:19:30 CEST Matteo Cafasso wrote:
> > + for (index = 0; index < count; index++) {
> > +fsattr = tsk_fs_file_attr_get_idx (fsfile, index);
> > +
> > +if (fsattr != NULL && fsattr->flags &
2016-09-20 11:38 GMT+03:00 Pino Toscano :
> On Monday, 19 September 2016 23:26:57 CEST Matteo Cafasso wrote:
> > The internal_find_block command searches all entries referring to the
> > given filesystem data block and returns a tsk_dirent structure
> > for each of them.
> >
building to help automating
security assessment and forensics analysis of disk images.
https://github.com/noxdafox/vminspect
I did not test it much yet. Therefore, it might raise several false
positives or miss important vulnerabilities but considering it's ~ 100
lines of Python code, I'd say
On 26/08/16 15:58, Pino Toscano wrote:
On Friday, 26 August 2016 15:15:17 CEST noxdafox wrote:
On 26/08/16 14:15, Pino Toscano wrote:
On Thursday, 25 August 2016 23:53:51 CEST Matteo Cafasso wrote:
With the current implementation, the root inode of the given partition
is ignored.
The root
On 26/08/16 14:15, Pino Toscano wrote:
On Thursday, 25 August 2016 23:53:51 CEST Matteo Cafasso wrote:
With the current implementation, the root inode of the given partition
is ignored.
The root inode is now reported. Its name will be a single dot '.'
reproducing the TSK API.
Signed-off-by:
2016-08-25 16:12 GMT+03:00 Pino Toscano <ptosc...@redhat.com>:
> On Thursday, 25 August 2016 16:05:47 CEST NoxDaFox wrote:
> > 2016-08-25 14:09 GMT+03:00 Pino Toscano <ptosc...@redhat.com>:
> >
> > > On Wednesday, 24 August 2016 23:59:53 CEST Matteo Cafas
2016-08-25 14:19 GMT+03:00 Pino Toscano :
> On Wednesday, 24 August 2016 23:59:54 CEST Matteo Cafasso wrote:
> > The internal_find_inode command searches all entries referring to the
> > given inode and returns a tsk_dirent structure for each of them.
> >
> > The command is
2016-08-25 14:09 GMT+03:00 Pino Toscano :
> On Wednesday, 24 August 2016 23:59:53 CEST Matteo Cafasso wrote:
> > The find_inode API allows the User to search all the entries referring
> > to a given inode and returns a tsk_dirent structure for each of them.
> >
> > As I
an example on libguestfs-based VM scanning solution in here:
https://github.com/noxdafox/vminspect
If you check the "timeline" command implementation, you'll find few of
the new APIs in use.
Considering they are quite specific, I was
thinking about adding a documentation paragraph and/or some
On 04/07/16 16:25, Pino Toscano wrote:
On Monday 04 July 2016 00:00:59 Matteo Cafasso wrote:
Access, modification, last status change and creation time in
Unix format as for statns.
Number of links pointing to a given entry.
If the entry is a symbolic link, report its target path.
A new flag
On 28/06/16 23:01, Richard W.M. Jones wrote:
On Tue, Jun 28, 2016 at 10:49:16PM +0300, Matteo Cafasso wrote:
Already implemented entries.
tsk_inode
tsk_type
tsk_size
tsk_name
tsk_flags
Easy ones to add.
tsk_atime_sec
tsk_atime_nsec
tsk_mtime_sec
tsk_mtime_nsec
tsk_ctime_sec
tsk_ctime_nsec
On 15/06/16 16:56, Richard W.M. Jones wrote:
On Mon, Jun 13, 2016 at 07:50:52PM +0300, Matteo Cafasso wrote:
diff --git a/generator/structs.ml b/generator/structs.ml
index 6017ba6..3c2cc61 100644
--- a/generator/structs.ml
+++ b/generator/structs.ml
@@ -444,6 +444,19 @@ let structs = [
On 05/04/16 20:33, Pino Toscano wrote:
On Tuesday 05 April 2016 18:47:32 Matteo Cafasso wrote:
The tests check that the filesystem_walk command is able to retrieve
information regarding both existing and deleted files.
A NTFS image is used as Ext3+ filesystems deletion is more aggressive
in
On 05/04/16 19:33, Pino Toscano wrote:
On Tuesday 05 April 2016 18:47:28 Matteo Cafasso wrote:
The tsk_dirent struct contains the information gathered via TSK APIs.
The struct contains the following fields:
* tsk_inode: inode of a file
* tsk_type: type of file such as for dirwalk command
On 04/04/16 15:15, Pino Toscano wrote:
On Monday 04 April 2016 14:58:35 NoxDaFox wrote:
+
+static int open_filesystem (const char *device,
+TSK_IMG_INFO **img, TSK_FS_INFO **fs);
+static TSK_WALK_RET_ENUM fswalk_callback (TSK_FS_FILE *fsfile
2016-04-04 13:09 GMT+03:00 Pino Toscano :
> Hi,
>
> some of the comments for patch #3 apply also for this one, namely:
> - wrapping of commit message
> - indentation of forward declarations
> - usage of XDR deserialization from guestfs_protocol.h
> -
>
> On Sunday 03 April
2016-04-04 12:48 GMT+03:00 Pino Toscano :
> On Sunday 03 April 2016 16:30:48 Matteo Cafasso wrote:
> > The internal_filesystem_walk command walks
> > through the FS structure of a disk partition
> > and returns all the files or directories
> > which could be found.
> >
> >
On 07/03/16 21:45, Richard W.M. Jones wrote:
Thanks, I have pushed this patch series.
Could you consider changing:
+optional = Some "icat";
I think it would be nice to have a single feature, and to call the
feature "sleuthkit" or "forensics" or something like that. We don't
need to have
On 07/03/16 21:31, Richard W.M. Jones wrote:
On Mon, Mar 07, 2016 at 08:14:41PM +0200, noxdafox wrote:
As the API documentation says, this is the low level API which I
have provided as an example.
I took inspiration from the guestfs_ls0 API which does a similar job
storing the content
On 07/03/16 13:32, Richard W.M. Jones wrote:
On Sun, Mar 06, 2016 at 05:42:25PM +0200, Matteo Cafasso wrote:
+static int
+file_out (const char *cmd)
+{
+ int r;
+ FILE *fp;
+ char buffer[GUESTFS_MAX_CHUNK_SIZE];
Soon libguestfs will prevent you from using large stack allocations.
This is
/dev/sda2 /home/noxdafox/disk-content.txt
r/r 15711-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/desktop.ini
-/r * 60015-128-1:
$Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt
-/r * 60015-128-3:
$Recycle.Bin/S-1-5-21-2379395878
On 02/03/16 18:24, Richard W.M. Jones wrote:
On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote:
One of the patches I'm talking about would add TSK (The Sleuth Kit)
as a dependency within the appliance.
This would bring new APIs such as:
'fls' more powerful 'ls' command allowing
On 02/03/16 17:53, Richard W.M. Jones wrote:
On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote:
Greetings,
I am playing around with the idea of using libguestfs as a forensic
tool to investigate VM disk images.
Some use cases as example:
* Sandbox for malware analysis.
* Incident
Greetings,
I am playing around with the idea of using libguestfs as a forensic tool
to investigate VM disk images.
Some use cases as example:
* Sandbox for malware analysis.
* Incident response in cloud environments.
Libguestfs is a precious resource in this case as it allows to abstract
It seems the requirement is to still have Jessie mirrors enabled as it
fails even when installing the packages previously mentioned. I'll
switch to use APT-Pinning with a hybrid stable/testing distro.
Debian testing seems not to be the friendliest environment for building
multi-dependencies
On 27/02/16 22:09, Richard W.M. Jones wrote:
On Sat, Feb 27, 2016 at 09:55:32PM +0200, noxdafox wrote:
On 27/02/16 11:23, Richard W.M. Jones wrote:
[...]
md_create: feature 'mdadm' is not available in this
build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for
how to check
On 27/02/16 11:23, Richard W.M. Jones wrote:
[...]
md_create: feature 'mdadm' is not available in this
build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for
how to check for the availability of features. at
/home/noxdafox/development/libguestfs/test-data/phony-guests/make
On 27/02/16 01:05, Richard W.M. Jones wrote:
On Sat, Feb 27, 2016 at 12:53:51AM +0200, noxdafox wrote:
On 26/02/16 10:12, Richard W.M. Jones wrote:
On Fri, Feb 26, 2016 at 12:16:22AM +0200, noxdafox wrote:
According to autogen.sh output Perl bindings and virt tools seem to
be missing, could
On 26/02/16 10:12, Richard W.M. Jones wrote:
On Fri, Feb 26, 2016 at 12:16:22AM +0200, noxdafox wrote:
According to autogen.sh output Perl bindings and virt tools seem to
be missing, could it be related to this? Are the tests relying to
such dependencies?
Yes, the tests rely on Perl bindings
On 25/02/16 23:18, Richard W.M. Jones wrote:
On Thu, Feb 25, 2016 at 10:46:10PM +0200, noxdafox wrote:
On 25/02/16 10:54, Richard W.M. Jones wrote:
Apply the attached patch, followed by doing:
make -C perl clean
./configure
make
Rich.
I applied the patch, unfortunately the issue
Can't locate loadable object for module Sys::Guestfs in @INC (@INC
contains: /home/noxdafox/development/libguestfs/perl/lib /etc/perl
/usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1
/usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5
/usr/lib/x86_64-linux-gnu/perl/5.2
On 23/02/16 10:09, Richard W.M. Jones wrote:
On Mon, Feb 22, 2016 at 11:58:28PM +0200, noxdafox wrote:
Once fixed that and few other things I got stuck with this:
SRCDIR=. LAYOUT=partitions ../../run --test ./make-fedora-img.pl
Can't locate loadable object for module Sys::Guestfs in @INC (@INC
On 22/02/16 19:43, Richard W.M. Jones wrote:
On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote:
On 22/02/16 17:26, Richard W.M. Jones wrote:
On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote:
Adding ntfscat_i command for downloading files based on their inode number
-part.img blank-fs.img blank-bootroot.img
blank-bootrootlv.img debian.img fedora.img fedora-md1.img fedora-md2.img
fedora-btrfs.img ubuntu.img archlinux.img coreos.img windows.img
guests-all-good.xml
make[3]: Entering directory
'/home/noxdafox/development/libguestfs/test-data/phony-guests'
make[3
On 02/02/16 21:35, Richard W.M. Jones wrote:
On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote:
Greetings,
I'm playing around an idea and I'd like to ask you some questions.
I'd like to extract the MFT table from a disk image file. The idea
is to employ it to build a sort of reverse
Greetings,
I'm playing around an idea and I'd like to ask you some questions.
I'd like to extract the MFT table from a disk image file. The idea is to
employ it to build a sort of reverse lookup table which, given a
cluster, could retrieve the corresponding file with the related metadata.
2015-05-28 11:10 GMT+03:00 Richard W.M. Jones rjo...@redhat.com:
On Thu, May 28, 2015 at 10:57:51AM +0300, NoxDaFox wrote:
2015-05-28 10:40 GMT+03:00 Richard W.M. Jones rjo...@redhat.com:
On Thu, May 28, 2015 at 10:33:48AM +0300, NoxDaFox wrote:
To create the snapshots I'm using
, Richard W.M. Jones wrote:
On Mon, Mar 23, 2015 at 04:34:21PM +0200, NoxDaFox wrote:
Greetings,
I have the following typical scenario: given one or more qcow2 base
images
I clone them with COW and start the VMs.
At a certain point I'd like to inspect them in order to see
Greetings,
I have the following typical scenario: given one or more qcow2 base images
I clone them with COW and start the VMs.
At a certain point I'd like to inspect them in order to see their evolution
compared to the known base images. To do so I was thinking about taking a
disk snapshot of
launch a new handler
each time? It is a quite expensive procedure and it takes a lot of
time on loaded systems.
Would be enough to mount/unmount the disk at each read?
noxdafox
___
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com
48 matches
Mail list logo