我正在使用Sleuth Kit Library编写一个程序,该库旨在打印出FAT32文件系统的文件分配表.在我调用tsk_fs_open_img()函数之前,我程序中的所有内容都能正常工作.此时,程序返回并显示“无效的魔术值(不是FATFS文件系统(魔术))”. FS确实是FAT32 FS,我使用十六进制编辑器验证了神奇值(AA55 @ offset 1FE).另外使用mmls和fls(它们是Sleuth Kit Library中包含的命令行工具),可以处理我正在使用的驱动器映像,并显示它确实是FAT32 FS,并且还为FS提供了63的偏移量.

如果有人能帮我弄清楚为什么这个功能不起作用,我将不胜感激.提前致谢.

以下是该函数API的链接：TSK_FS_OPEN_IMG()

这是我的代码：

using namespace std;

#include <tsk3/libtsk.h>
#include <iostream>
#include <string.h>

int main (int argc, const char * argv[])
{

TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;

TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32;
TSK_FS_INFO *fs;

TSK_DADDR_T imgOffset = 0x00000000;
TSK_OFF_T fsStartBlock = 0x00000063;

TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

const TSK_VS_PART_INFO *part;
TSK_PNUM_T partLocation = part -> addr;

TSK_TCHAR *driveName;
TSK_DADDR_T startAddress = 0x00000000;
TSK_DADDR_T numBlocksToRead = 0x00000001;
TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII;

int numOfDrives = 1;
uint sectorSize = 0;
uint8_t blockBytes = 0;

if (argc < 1) {
    printf("You must enter a drive name.\n");
    exit(EXIT_FAILURE);
}

driveName = (TSK_TCHAR*) argv[1];

cout << "\nOpening Drive\n\n";

if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) {
    tsk_error_print(stderr);
    exit(EXIT_FAILURE);
}

cout << "Drive opened successfuly.\n\n";

cout << "Opening File System\n\n";

if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
    tsk_error_print(stderr);
    if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
        tsk_fs_type_print(stderr);
    img -> close(img);
    exit(EXIT_FAILURE);
}

cout << "File system opened successfuly.\n\n";

blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead);

fs -> close(fs);
img -> close(img);
return 0;
}

最佳答案 tsk_fs_open_img的偏移量参数以字节为单位,而不是扇区.因此,您需要将fsStartBlock乘以img-> sector_size.