 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
1 message in net.java.dev.jna.usersRe: JNA and Computer Forensic| From | Sent On | Attachments |
|---|---|---|
| Timothy Wall | Jan 20, 2008 6:03 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: JNA and Computer Forensic | Actions... |
|---|---|---|
| From: | Timothy Wall (twal...@dev.java.net) | |
| Date: | Jan 20, 2008 6:03:21 am | |
| List: | net.java.dev.jna.users | |
On Jan 20, 2008, at 2:45 AM, Luca Guerrieri wrote:
i'm an italian java-coders and a i would to scuse to you for my bad english and i would like express my congratulation for this project. My interest is Computer Forensic Acquisition and Analysis, in this argument is important (for example) to acquire the contents of an Hard Drive withouth change it, from first bit to the last of the memory that probably is the evidence of a crime.
One thing to keep in mind is that the OS itself can not always be trusted.
I think that to make this i must "access in low level" to the memory, i've thinked to use JNI technology but .... i've find JNA "beautiful" ! I've tried to make customization of interface and i've created aclass to access to kernel32 methods, but without result, can you aid me please ? My proble is that the call to this method ( in Kernel32.dll) return an error :
GetVersion, GetLocalDrive, GetLogicalDriveStringsW, GetVolumeInformationA.
Thank you in advance for your time.
P.S.: My idea is to develop a little project (in GPL Licence) to make acquisition, I made a livecd (ForLEx), I would like to insert java based tools to conduct acquisitions and analysis all Open Source.
CODE
The Interface ========= package esperimenti; import com.sun.jna.win32.StdCallLibrary; import com.sun.jna.*; public interface Kernel32 extends StdCallLibrary { Kernel32 INSTANCE = (Kernel32)Native.loadLibrary("kernel32", Kernel32.class);
Take a look at com.sun.jna.examples.win32.Kernel32 and how it is loaded. Note that an options map is provided to automatically choose between functions with an "A" suffix and functions with a "W" suffix, and also automatically chooses whether to use unicode or ASCII strings. You should use those options instead of defining both versions.
You can define the system property "w32.ascii" to "true" if you want the default to use ASCII instead of unicode.
Otherwise, String by default maps to "char*", not "wchar_t*".
public static class OSVERSIONINFO extends Structure { public int dwOSVersionInfoSize = 24; public int dwMajorVersion; public int dwMinorVersion; public int dwBuildNumber; public int dwPlatformId; public String szCSDVersion; } public static class LOGICALDRIVEW extends Structure { public int lwBufSize; public char oswBuffef;
} public static class LOGICALDRIVEA extends Structure { public int nBufferLength; public String lpBuffer; }
public static class VOLUMEINFORMATION extends Structure { public String lpRootPathName; public String lpVolumeNameBuffer; public int nVolumeNameSize; public int lpVolumeSerialNumber; public int lpMaximumComponentLength; public int lpFileSystemFlags; public String lpFileSystemNameBuffer; public int nFileSystemNameSize; }
void GetVersion(OSVERSIONINFO result); void GetLocalDrive (LOCALDRIVE result); void GetLogicalDriveStringsW (LOGICALDRIVEW result); void GetVolumeInformationA (VOLUMEINFORMATION result); }
The class =======
import esperimenti.Kernel32.OSVERSIONINFO; import esperimenti.Kernel32.LOGICALDRIVEW; import esperimenti.Kernel32.VOLUMEINFORMATION; import esperimenti.Kernel32.LOGICALDRIVEA;
public class Acquisitor { public static void main (String args[]){
Kernel32 lib = Kernel32.INSTANCE; OSVERSIONINFO os = new OSVERSIONINFO(); lib.GetVersion(os); System.out.println("Structure size is : " + os.dwOSVersionInfoSize); System.out.println("OS Major Version is : " + os.dwMajorVersion); System.out.println("OS Minor Version is : " + os.dwMinorVersion); System.out.println("OS Build Number is : " + os.dwBuildNumber);
VOLUMEINFORMATION vi = new VOLUMEINFORMATION(); lib.GetVolumeInformationA (vi); vi.lpRootPathName="C:\\"; System.out.println(""+vi.lpRootPathName); System.out.println(""+vi.lpVolumeNameBuffer); System.out.println(""+vi.nVolumeNameSize); System.out.println(""+vi.lpVolumeSerialNumber); System.out.println(""+vi.lpMaximumComponentLength); System.out.println(""+vi.lpFileSystemFlags); System.out.println(""+vi.lpFileSystemNameBuffer); System.out.println(""+vi.nFileSystemNameSize);
LOGICALDRIVEW ld = new LOGICALDRIVEW(); lib.GetLogicalDriveStringsW(ld); System.out.println("Logical Drive "+ ld.lwBufSize); System.out.println("Logical Drive "+ ld.oswBuffef);
LOGICALDRIVEA ldA = new LOGICALDRIVEA(); System.out.println("Logical Drive "+ lib.GetLogicalDriveStrings (ldA));
} }