summaryrefslogtreecommitdiffstats
path: root/src/file_pst.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2007-10-29 22:38:52 +0100
committerChristophe Grenier <grenier@cgsecurity.org>2007-10-29 22:38:52 +0100
commit9928d99936105b4653d2d1b8ca74dc3ffba5c71e (patch)
tree06aa4f5e9f0055027c6fb54dd47a8414cf2fba32 /src/file_pst.c
First version in git
Diffstat (limited to 'src/file_pst.c')
-rw-r--r--src/file_pst.c105
1 files changed, 105 insertions, 0 deletions
diff --git a/src/file_pst.c b/src/file_pst.c
new file mode 100644
index 0000000..529ff3d
--- /dev/null
+++ b/src/file_pst.c
@@ -0,0 +1,105 @@
+/*
+
+ File: file_pst.c
+
+ Copyright (C) 2006-2007 Christophe GRENIER <grenier@cgsecurity.org>
+
+ This software is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write the Free Software Foundation, Inc., 51
+ Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdio.h>
+#include "types.h"
+#include "filegen.h"
+
+
+static void register_header_check_pst(file_stat_t *file_stat);
+static int header_check_pst(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new);
+
+const file_hint_t file_hint_pst= {
+ .extension="pst",
+ .description="Outlook (pst/wab/dbx)",
+ .min_header_distance=0,
+ .max_filesize=PHOTOREC_MAX_FILE_SIZE,
+ .recover=1,
+ .header_check=&header_check_pst,
+ .register_header_check=&register_header_check_pst
+};
+
+static const unsigned char pst_header[4]= { '!','B','D','N'};
+static const unsigned char dbx_header[4]= { 0xCF, 0xAD, 0x12, 0xFE };
+static const unsigned char wab_header[16] = { 0x9c, 0xcb, 0xcb, 0x8d, 0x13, 0x75, 0xd2, 0x11,
+ 0x91, 0x58, 0x00, 0xc0, 0x4f, 0x79, 0x56, 0xa4 };
+
+static void register_header_check_pst(file_stat_t *file_stat)
+{
+ register_header_check(0, pst_header,sizeof(pst_header), &header_check_pst, file_stat);
+ register_header_check(0, dbx_header,sizeof(dbx_header), &header_check_pst, file_stat);
+ register_header_check(0, wab_header,sizeof(wab_header), &header_check_pst, file_stat);
+}
+
+#define INDEX_TYPE_OFFSET 0x0A
+#define FILE_SIZE_POINTER 0xA8
+#define FILE_SIZE_POINTER_64 0xB8
+
+static int header_check_pst(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ if(memcmp(buffer,wab_header,sizeof(wab_header))==0)
+ {
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension="wab"; /* Adresse Book */
+ return 1;
+ }
+ if(memcmp(buffer,dbx_header,sizeof(dbx_header))==0)
+ {
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension="dbx";
+ return 1;
+ }
+ if(memcmp(buffer,pst_header,sizeof(pst_header))==0)
+ {
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension=file_hint_pst.extension;
+ if(buffer[INDEX_TYPE_OFFSET]==0x0e)
+ {
+ /* Outlook 2000 and older versions */
+ file_recovery_new->calculated_file_size=(uint64_t)buffer[FILE_SIZE_POINTER] +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+1])<<8) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+2])<<16) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+3])<<24);
+ }
+ else
+ { /* Outlook 2003 */
+ file_recovery_new->calculated_file_size=(uint64_t)buffer[FILE_SIZE_POINTER_64] +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+1])<<8) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+2])<<16) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+3])<<24) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+4])<<32) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+5])<<40) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+6])<<48) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+7])<<56);
+ }
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
+ return 1;
+ }
+ return 0;
+}