Re: [Libguestfs] [PATCH v2] python: add simple wrappers for PyObject<->string functions

On 09/05/17 16:48, Pino Toscano wrote: The current need for #ifdef's based on the presence of PyString_FromString makes both the OCaml code of the generator, and the generated C code a mess to read. Hence, add three simple wrappers to make both the OCaml, and C code more readable, and easier to

Re: [Libguestfs] [PATCH v7 1/7] daemon: expose file upload logic

2017-04-24 11:58 GMT+03:00 Richard W.M. Jones : > On Sun, Apr 23, 2017 at 07:49:56PM +0300, Matteo Cafasso wrote: > > + if (r == -1) { /* write error */ > > +err = errno; > > +r = cancel_receive (); > > You need to use ignore_value here, and it needs to be

Re: [Libguestfs] [PATCH v3 0/7] Feature: Yara file scanning

2017-02-21 16:32 GMT+02:00 Pino Toscano <ptosc...@redhat.com>: > On Monday, 20 February 2017 13:46:29 CET NoxDaFox wrote: > > 2017-02-20 12:26 GMT+02:00 Daniel P. Berrange <berra...@redhat.com>: > > > > > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo C

Re: [Libguestfs] [PATCH v3 0/7] Feature: Yara file scanning

2017-02-20 12:26 GMT+02:00 Daniel P. Berrange : > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo Cafasso wrote: > > Rebase patches on top of 1.35.25. > > > > No changes since last series. > > Can you explain the motivation behind adding the APis to libguestfs ? > > Since

Re: [Libguestfs] [PATCH v2 4/6] New API: internal_yara_scan

On 24/11/16 17:42, Pino Toscano wrote: On Tuesday, 22 November 2016 19:41:10 CET noxdafox wrote: yara_load supports loading rules already compiled, which could have a namespace set -- I guess it should be reported here as well. The namespace is accessible via the YR_RULE struct: https

Re: [Libguestfs] [PATCH v2 2/6] New API: yara_load

On 21/11/16 18:27, Pino Toscano wrote: On Wednesday, 9 November 2016 22:38:53 CET Matteo Cafasso wrote: The yara_load API allows to load a set of Yara rules contained within a file on the host. Rules can be in binary format, as when compiled with yarac command, or in source code format. In the

Re: [Libguestfs] [PATCH v2 4/6] New API: internal_yara_scan

Ok on most of the comments, only few notes on the last one. On 22/11/16 11:04, Pino Toscano wrote: On Wednesday, 9 November 2016 22:38:55 CET Matteo Cafasso wrote: The internal_yara_scan runs the Yara engine with the previously loaded rules against the given file. For each rule matching

Re: [Libguestfs] [PATCH v4 0/3] New API - find_block

2016-10-11 11:56 GMT+03:00 Pino Toscano : > On Saturday, 8 October 2016 18:27:21 CEST Matteo Cafasso wrote: > > Patch ready for merging. > > > > v4: > > > > - check return code of tsk_fs_attr_walk > > - pass TSK_FS_FILE_WALK_FLAG_NOSPARSE as additional flag to > >

Re: [Libguestfs] [PATCH v3 1/3] New API: internal_find_block

2016-09-23 11:52 GMT+03:00 Pino Toscano : > On Tuesday, 20 September 2016 16:19:30 CEST Matteo Cafasso wrote: > > + for (index = 0; index < count; index++) { > > +fsattr = tsk_fs_file_attr_get_idx (fsfile, index); > > + > > +if (fsattr != NULL && fsattr->flags &

Re: [Libguestfs] [PATCH v2 1/3] New API: internal_find_block

2016-09-20 11:38 GMT+03:00 Pino Toscano : > On Monday, 19 September 2016 23:26:57 CEST Matteo Cafasso wrote: > > The internal_find_block command searches all entries referring to the > > given filesystem data block and returns a tsk_dirent structure > > for each of them. > >

[Libguestfs] Libguestfs based vulnerability scanner

building to help automating security assessment and forensics analysis of disk images. https://github.com/noxdafox/vminspect I did not test it much yet. Therefore, it might raise several false positives or miss important vulnerabilities but considering it's ~ 100 lines of Python code, I'd say

Re: [Libguestfs] [PATCH v2 1/6] filesystem_walk: fixed root inode listing

On 26/08/16 15:58, Pino Toscano wrote: On Friday, 26 August 2016 15:15:17 CEST noxdafox wrote: On 26/08/16 14:15, Pino Toscano wrote: On Thursday, 25 August 2016 23:53:51 CEST Matteo Cafasso wrote: With the current implementation, the root inode of the given partition is ignored. The root

Re: [Libguestfs] [PATCH v2 1/6] filesystem_walk: fixed root inode listing

On 26/08/16 14:15, Pino Toscano wrote: On Thursday, 25 August 2016 23:53:51 CEST Matteo Cafasso wrote: With the current implementation, the root inode of the given partition is ignored. The root inode is now reported. Its name will be a single dot '.' reproducing the TSK API. Signed-off-by:

Re: [Libguestfs] [PATCH 0/3] New API: find_inode

2016-08-25 16:12 GMT+03:00 Pino Toscano <ptosc...@redhat.com>: > On Thursday, 25 August 2016 16:05:47 CEST NoxDaFox wrote: > > 2016-08-25 14:09 GMT+03:00 Pino Toscano <ptosc...@redhat.com>: > > > > > On Wednesday, 24 August 2016 23:59:53 CEST Matteo Cafas

Re: [Libguestfs] [PATCH 1/3] New API: internal_find_inode

2016-08-25 14:19 GMT+03:00 Pino Toscano : > On Wednesday, 24 August 2016 23:59:54 CEST Matteo Cafasso wrote: > > The internal_find_inode command searches all entries referring to the > > given inode and returns a tsk_dirent structure for each of them. > > > > The command is

Re: [Libguestfs] [PATCH 0/3] New API: find_inode

2016-08-25 14:09 GMT+03:00 Pino Toscano : > On Wednesday, 24 August 2016 23:59:53 CEST Matteo Cafasso wrote: > > The find_inode API allows the User to search all the entries referring > > to a given inode and returns a tsk_dirent structure for each of them. > > > > As I

Re: [Libguestfs] [PATCH v2 0/2] Added download_blocks API

an example on libguestfs-based VM scanning solution in here: https://github.com/noxdafox/vminspect If you check the "timeline" command implementation, you'll find few of the new APIs in use. Considering they are quite specific, I was thinking about adding a documentation paragraph and/or some

Re: [Libguestfs] [PATCH 1/2] filesystem_walk: more information into tsk_dirent

On 04/07/16 16:25, Pino Toscano wrote: On Monday 04 July 2016 00:00:59 Matteo Cafasso wrote: Access, modification, last status change and creation time in Unix format as for statns. Number of links pointing to a given entry. If the entry is a symbolic link, report its target path. A new flag

Re: [Libguestfs] [PATCH] Reserve entries to tsk_dirent struct

On 28/06/16 23:01, Richard W.M. Jones wrote: On Tue, Jun 28, 2016 at 10:49:16PM +0300, Matteo Cafasso wrote: Already implemented entries. tsk_inode tsk_type tsk_size tsk_name tsk_flags Easy ones to add. tsk_atime_sec tsk_atime_nsec tsk_mtime_sec tsk_mtime_nsec tsk_ctime_sec tsk_ctime_nsec

Re: [Libguestfs] [PATCH v8 1/3] New API: internal_filesystem_walk

On 15/06/16 16:56, Richard W.M. Jones wrote: On Mon, Jun 13, 2016 at 07:50:52PM +0300, Matteo Cafasso wrote: diff --git a/generator/structs.ml b/generator/structs.ml index 6017ba6..3c2cc61 100644 --- a/generator/structs.ml +++ b/generator/structs.ml @@ -444,6 +444,19 @@ let structs = [

Re: [Libguestfs] [PATCH v3 5/5] appliance: Added filesystem_walk command tests

On 05/04/16 20:33, Pino Toscano wrote: On Tuesday 05 April 2016 18:47:32 Matteo Cafasso wrote: The tests check that the filesystem_walk command is able to retrieve information regarding both existing and deleted files. A NTFS image is used as Ext3+ filesystems deletion is more aggressive in

Re: [Libguestfs] [PATCH v3 1/5] generator: Added tsk_dirent struct

On 05/04/16 19:33, Pino Toscano wrote: On Tuesday 05 April 2016 18:47:28 Matteo Cafasso wrote: The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command

Re: [Libguestfs] [PATCH v2 3/5] daemon: Added internal_filesystem_walk command

On 04/04/16 15:15, Pino Toscano wrote: On Monday 04 April 2016 14:58:35 NoxDaFox wrote: + +static int open_filesystem (const char *device, +TSK_IMG_INFO **img, TSK_FS_INFO **fs); +static TSK_WALK_RET_ENUM fswalk_callback (TSK_FS_FILE *fsfile

Re: [Libguestfs] [PATCH v2 4/5] appliance: Added filesystem_walk command

2016-04-04 13:09 GMT+03:00 Pino Toscano : > Hi, > > some of the comments for patch #3 apply also for this one, namely: > - wrapping of commit message > - indentation of forward declarations > - usage of XDR deserialization from guestfs_protocol.h > - > > On Sunday 03 April

Re: [Libguestfs] [PATCH v2 3/5] daemon: Added internal_filesystem_walk command

2016-04-04 12:48 GMT+03:00 Pino Toscano : > On Sunday 03 April 2016 16:30:48 Matteo Cafasso wrote: > > The internal_filesystem_walk command walks > > through the FS structure of a disk partition > > and returns all the files or directories > > which could be found. > > > >

Re: [Libguestfs] [PATCH 2/3] added icat API to retrieve deleted or inaccessible files

On 07/03/16 21:45, Richard W.M. Jones wrote: Thanks, I have pushed this patch series. Could you consider changing: +optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have

Re: [Libguestfs] [PATCH 0/2] added icat and fls0 APIs for deleted files recovery

On 07/03/16 21:31, Richard W.M. Jones wrote: On Mon, Mar 07, 2016 at 08:14:41PM +0200, noxdafox wrote: As the API documentation says, this is the low level API which I have provided as an example. I took inspiration from the guestfs_ls0 API which does a similar job storing the content

Re: [Libguestfs] [PATCH 1/2] added icat and fls0 APIs

On 07/03/16 13:32, Richard W.M. Jones wrote: On Sun, Mar 06, 2016 at 05:42:25PM +0200, Matteo Cafasso wrote: +static int +file_out (const char *cmd) +{ + int r; + FILE *fp; + char buffer[GUESTFS_MAX_CHUNK_SIZE]; Soon libguestfs will prevent you from using large stack allocations. This is

Re: [Libguestfs] [PATCH 0/2] added icat and fls0 APIs for deleted files recovery

/dev/sda2 /home/noxdafox/disk-content.txt r/r 15711-128-1: $Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/desktop.ini -/r * 60015-128-1: $Recycle.Bin/S-1-5-21-2379395878-2832339042-1309242031-1000/$R07QQZ2.txt -/r * 60015-128-3: $Recycle.Bin/S-1-5-21-2379395878

Re: [Libguestfs] Libguestfs as filesystem forensic tool

On 02/03/16 18:24, Richard W.M. Jones wrote: On Wed, Mar 02, 2016 at 05:59:32PM +0200, noxdafox wrote: One of the patches I'm talking about would add TSK (The Sleuth Kit) as a dependency within the appliance. This would bring new APIs such as: 'fls' more powerful 'ls' command allowing

Re: [Libguestfs] Libguestfs as filesystem forensic tool

On 02/03/16 17:53, Richard W.M. Jones wrote: On Wed, Mar 02, 2016 at 05:47:40PM +0200, noxdafox wrote: Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident

[Libguestfs] [libguestfs] Libguestfs as filesystem forensic tool

Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract

Re: [Libguestfs] [PATCH] added ntfscat_i api

It seems the requirement is to still have Jessie mirrors enabled as it fails even when installing the packages previously mentioned. I'll switch to use APT-Pinning with a hybrid stable/testing distro. Debian testing seems not to be the friendliest environment for building multi-dependencies

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 27/02/16 22:09, Richard W.M. Jones wrote: On Sat, Feb 27, 2016 at 09:55:32PM +0200, noxdafox wrote: On 27/02/16 11:23, Richard W.M. Jones wrote: [...] md_create: feature 'mdadm' is not available in this build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for how to check

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 27/02/16 11:23, Richard W.M. Jones wrote: [...] md_create: feature 'mdadm' is not available in this build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for how to check for the availability of features. at /home/noxdafox/development/libguestfs/test-data/phony-guests/make

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 27/02/16 01:05, Richard W.M. Jones wrote: On Sat, Feb 27, 2016 at 12:53:51AM +0200, noxdafox wrote: On 26/02/16 10:12, Richard W.M. Jones wrote: On Fri, Feb 26, 2016 at 12:16:22AM +0200, noxdafox wrote: According to autogen.sh output Perl bindings and virt tools seem to be missing, could

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 26/02/16 10:12, Richard W.M. Jones wrote: On Fri, Feb 26, 2016 at 12:16:22AM +0200, noxdafox wrote: According to autogen.sh output Perl bindings and virt tools seem to be missing, could it be related to this? Are the tests relying to such dependencies? Yes, the tests rely on Perl bindings

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 25/02/16 23:18, Richard W.M. Jones wrote: On Thu, Feb 25, 2016 at 10:46:10PM +0200, noxdafox wrote: On 25/02/16 10:54, Richard W.M. Jones wrote: Apply the attached patch, followed by doing: make -C perl clean ./configure make Rich. I applied the patch, unfortunately the issue

Re: [Libguestfs] [PATCH] added ntfscat_i api

Can't locate loadable object for module Sys::Guestfs in @INC (@INC contains: /home/noxdafox/development/libguestfs/perl/lib /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.2

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 23/02/16 10:09, Richard W.M. Jones wrote: On Mon, Feb 22, 2016 at 11:58:28PM +0200, noxdafox wrote: Once fixed that and few other things I got stuck with this: SRCDIR=. LAYOUT=partitions ../../run --test ./make-fedora-img.pl Can't locate loadable object for module Sys::Guestfs in @INC (@INC

Re: [Libguestfs] [PATCH] added ntfscat_i api

On 22/02/16 19:43, Richard W.M. Jones wrote: On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: On 22/02/16 17:26, Richard W.M. Jones wrote: On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: Adding ntfscat_i command for downloading files based on their inode number

Re: [Libguestfs] [PATCH] added ntfscat_i api

-part.img blank-fs.img blank-bootroot.img blank-bootrootlv.img debian.img fedora.img fedora-md1.img fedora-md2.img fedora-btrfs.img ubuntu.img archlinux.img coreos.img windows.img guests-all-good.xml make[3]: Entering directory '/home/noxdafox/development/libguestfs/test-data/phony-guests' make[3

Re: [Libguestfs] extract NTFS Master File Table for analysis

On 02/02/16 21:35, Richard W.M. Jones wrote: On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: Greetings, I'm playing around an idea and I'd like to ask you some questions. I'd like to extract the MFT table from a disk image file. The idea is to employ it to build a sort of reverse

[Libguestfs] extract NTFS Master File Table for analysis

Greetings, I'm playing around an idea and I'd like to ask you some questions. I'd like to extract the MFT table from a disk image file. The idea is to employ it to build a sort of reverse lookup table which, given a cluster, could retrieve the corresponding file with the related metadata.

Re: [Libguestfs] Concurrent scanning of same disk

2015-05-28 11:10 GMT+03:00 Richard W.M. Jones rjo...@redhat.com: On Thu, May 28, 2015 at 10:57:51AM +0300, NoxDaFox wrote: 2015-05-28 10:40 GMT+03:00 Richard W.M. Jones rjo...@redhat.com: On Thu, May 28, 2015 at 10:33:48AM +0300, NoxDaFox wrote: To create the snapshots I'm using

[Libguestfs] Fwd: Inspection of disk snapshots

, Richard W.M. Jones wrote: On Mon, Mar 23, 2015 at 04:34:21PM +0200, NoxDaFox wrote: Greetings, I have the following typical scenario: given one or more qcow2 base images I clone them with COW and start the VMs. At a certain point I'd like to inspect them in order to see

[Libguestfs] Inspection of disk snapshots

Greetings, I have the following typical scenario: given one or more qcow2 base images I clone them with COW and start the VMs. At a certain point I'd like to inspect them in order to see their evolution compared to the known base images. To do so I was thinking about taking a disk snapshot of

[Libguestfs] Inspect running disk image

launch a new handler each time? It is a quite expensive procedure and it takes a lot of time on loaded systems. Would be enough to mount/unmount the disk at each read? noxdafox ___ Libguestfs mailing list Libguestfs@redhat.com https://www.redhat.com