search

py4n6 / pytsk

Python bindings for The Sleuth Kit (libtsk)
Apache License 2.0
92 stars 24 forks source link

Major changes in libtsk 4.8 and later break pytsk #71

Closed joachimmetz closed 3 years ago

joachimmetz commented 3 years ago

Related:

joachimmetz commented 3 years ago

Changes in libtsk 4.8 cause multiple issues:

joachimmetz commented 3 years ago

Looks like the lexer is failing to process some of the changed public API structs

PYTHONPATH=. python3 class_parser.py sleuthkit/tsk/libtsk.h sleuthkit/tsk/base/tsk_base.h sleuthkit/tsk/fs/tsk_fs.h sleuthkit/tsk/img/tsk_img.h sleuthkit/tsk/vs/tsk_vs.h tsk3.h

4.7

0xC49C: Calling PUSH_STATE 'struct TSK_FS_INFO {'
0xC49C: Calling STRUCT_START 'struct TSK_FS_INFO {'
0xC4A5: Calling SPACE '\n        '
0xC4AD: Calling STRUCT_ATTRIBUTE 'int tag;'
0xC4BD: Calling SPACE '                '
0xC514: Calling COMMENT '///< \\internal Will be set to TSK_FS_INFO_TAG if structure is still allocated, 0 if not'
0xC51D: Calling SPACE '\n        '
0xC534: Calling STRUCT_ATTRIBUTE 'TSK_IMG_INFO *img_info;'
Unknown attribute type TSK_IMG_INFO * for TSK_FS_INFO.img_info
0xC535: Calling SPACE ' '
0xC55A: Calling COMMENT '///< Pointer to the image layer state'
0xC563: Calling SPACE '\n        '

4.8

0xCAD9: Calling PUSH_STATE 'struct TSK_FS_INFO {'
0xCAD9: Calling STRUCT_START 'struct TSK_FS_INFO {'
0xCAE2: Calling SPACE '\n        '
0xCAEA: Calling STRUCT_ATTRIBUTE 'int tag;'
0xCAFA: Calling SPACE '                '
0xCB51: Calling COMMENT '///< \\internal Will be set to TSK_FS_INFO_TAG if structure is still allocated, 0 if not'
0xCB53: Calling CLEAR_COMMENT '\n\n'
0xCB5B: Calling SPACE '        '
0xCB63: Calling PUSH_STATE 'struct {'
0xCB70: Calling SPACE '\n            '
Error(1): Lexer Stuck, discarding 1 byte ('SK_IMG_INF') - state RECURSIVE_STRUCT
Error(1): Lexer Stuck, discarding 1 byte ('K_IMG_INFO') - state RECURSIVE_STRUCT
Error(1): Lexer Stuck, discarding 1 byte ('_IMG_INFO ') - state RECURSIVE_STRUCT
Error(1): Lexer Stuck, discarding 1 byte ('IMG_INFO *') - state RECURSIVE_STRUCT
joachimmetz commented 3 years ago

@sbrun please have a look if the changes in https://github.com/py4n6/pytsk/pull/72 solve the issue reported in log2timeline/dfvfs#544

sbrun commented 3 years ago

@joachimmetz I have tested the patch and yes it fixes the issue I had with dfvfs. Thank you very much! I can import the patch in the Debian package or maybe you plan to release soon a new pytsk version ?

joachimmetz commented 3 years ago

I can import the patch in the Debian package or maybe you plan to release soon a new pytsk version ?

Plan, yes. When? not sure yet depends on other priorities. So including patch in the Debian package is the quickest to address the issue on your side

joachimmetz commented 3 years ago

pre-release for testing purposes https://github.com/py4n6/pytsk/releases/tag/20210130