Add files via upload

Author: ProjectZeroDays

src/apfs.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+target_root_directory=$1
+target_directory=$2
+keys_directory=$3
+drive_serial=$4
+current_partition=$5
+uuid=$6
+
+
+slices=`/opt/drivebadger/internal/generic/apple/get-apfs-filesystems.sh /dev/$current_partition`
+for slice in $slices; do
+	slid="${slice%:*}"
+	slname="${slice##*:}"
+
+	mountpoint=/media/$current_partition/$slid/mnt
+	subtarget=$target_directory/$drive_serial/${current_partition}_apfs_${slid}_${slname}
+	mkdir -p $mountpoint $subtarget
+
+	if /opt/drivebadger/internal/generic/apple/mount-apfs-filesystem.sh $keys_directory "$drive_serial" /dev/$current_partition $slid $mountpoint $subtarget >>$subtarget/rsync.log 2>>$subtarget/rsync.err; then
+		/opt/drivebadger/internal/generic/process-hooks.sh $mountpoint $target_root_directory
+
+		logger "copying UUID=$uuid (partition $current_partition filesystem APFS slice $slid ($slname), mounted as $mountpoint, target directory $subtarget)"
+		/opt/drivebadger/internal/generic/rsync-partition.sh $mountpoint $subtarget >>$subtarget/rsync.log 2>>$subtarget/rsync.err
+		umount $mountpoint
+		logger "copied UUID=$uuid"
+	fi
+done

src/dump-debug-files.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+directory=$1
+
+ls -al /dev/disk/by-uuid/ >$directory/by-uuid.txt
+ls -al /dev/disk/by-id/ >$directory/by-id.txt
+
+cat /sys/class/dmi/id/* 2>/dev/null >$directory/dmi.txt
+
+ifconfig -a >$directory/ifconfig.txt
+route -ne >$directory/route.txt
+arp -an >$directory/arp.txt
+
+dmesg >$directory/dmesg.txt
+lsusb >$directory/lsusb.txt
+lspci >$directory/lspci.txt
+
+lsblk >$directory/lsblk.txt
+blkid >$directory/blkid.txt
+
+cat /proc/cpuinfo >$directory/cpuinfo.txt
+cat /proc/meminfo >$directory/meminfo.txt
+cat /proc/partitions >$directory/partitions.txt
+
+if [ -f /proc/mdstat ]; then
+	cat /proc/mdstat >$directory/mdstat.txt
+fi

src/get-apfs-filesystems.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+device=$1
+
+fsapfsinfo $device \
+	|grep -A2 Volume \
+	|grep -v Identifier \
+	|sed -e 's/[\t ]//g' -e 's/information://g' -e 's/Volume://g' -e 's/Name://g' -e 's/[^a-zA-Z0-9]//g' \
+	|tr '\n' ':' \
+	|sed -e 's/::/\n/g' -e 's/:$//g' \
+	|egrep -v ':(Preboot|Recovery|VM)$'

src/get-computer-id.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+comp_name=`cat /sys/class/dmi/id/product_name |sed -e 's/[ \t]*$//' -e 's/ /_/g'`
+local_ip=`ifconfig -a |grep -v 127.0.0.1 |grep 'inet ' |awk '{ print $2 }' |head -n 1`
+
+logger "computer name $comp_name, primary IP $local_ip"
+
+echo ${local_ip}_${comp_name}

src/get-drive-encryption-keys.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+encryption_mode=$1
+keys_directory=$2
+drive_serial=$3
+
+
+# 1. Try to find key(s) assigned to given drive serial number:
+#    - preconfigured manually
+#    - found during previous Drive Badger runs
+# 2. Print generic keys, preconfigured using configuration repositories
+
+file=""
+if [ "$keys_directory" != "" ] && [ "$drive_serial" != "" ]; then
+	file=$keys_directory/$drive_serial.$encryption_mode
+fi
+
+if [ "$file" != "" ] && [ -s $file ]; then
+	cat $file
+	cat /opt/drivebadger/config/*/$encryption_mode.keys 2>/dev/null |grep -v "^#" |grep -v ^$ |grep -vxFf $file
+else
+	cat /opt/drivebadger/config/*/$encryption_mode.keys 2>/dev/null |grep -v "^#" |grep -v ^$
+fi

src/get-drive-serial.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+drive=$1
+directory=$2
+
+if [ ! -f $directory/$drive.txt ]; then
+	if [[ $drive =~ ^mmc ]]; then
+		udevadm info -a /dev/$drive >$directory/$drive.txt
+	elif [[ $drive =~ ^nvme ]]; then
+		nvme id-ctrl /dev/$drive >$directory/$drive.txt
+	else
+		hdparm -I /dev/$drive >$directory/$drive.txt
+	fi
+fi
+
+if [[ $drive =~ ^mmc ]]; then
+	grep 'ATTRS{serial}' $directory/$drive.txt |tr -d ' \t\"' |tr '=' ' ' |awk '{ print $2 }'
+elif [[ $drive =~ ^nvme ]]; then
+	cat $directory/$drive.txt |tr -d ' \t' |grep ^sn: |cut -d':' -f2
+elif grep -q "Serial Number" $directory/$drive.txt; then
+	cat $directory/$drive.txt |tr -d ' \t' |grep ^SerialNumber: |cut -d':' -f2
+else
+	ls -l /dev/disk/by-id/* |grep /$drive$ |grep -v wwn- |cut -d'/' -f5 |cut -d'-' -f2- |sed -e "s/ -> ..//g" -e "s/-0:0//g"
+fi

src/get-injector-script.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+# The below logic is responsible for selecting, which script (only one!)
+# will be executed against the drive mounted in read/write mode.
+
+fs=$1
+drive_serial=$2
+uuid=$3
+
+
+#
+# Match exact partition using its UUID.
+#
+# Downside: Bitlocker and VeraCrypt partitions can't be handled this way.
+#
+if [ "$uuid" != "" ] && [ -x /opt/drivebadger/injectors/uuid-$uuid/injector.sh ]; then
+	echo /opt/drivebadger/injectors/uuid-$uuid/injector.sh
+
+#
+# Match the drive and partition type, but not the exact partition - so this
+# injector will be run against all partitions of given type (eg. NTFS).
+#
+# You are responsible for implementing checks eg. for specific directory,
+# or any other condition(s) unique to the exact filesystem, that you're
+# trying to match.
+#
+elif [ "$drive_serial" != "" ] && [ -x /opt/drivebadger/injectors/$fs-$drive_serial/injector.sh ]; then
+	echo /opt/drivebadger/injectors/$fs-$drive_serial/injector.sh
+
+#
+# Run this injector for all partitions of given type (eg. NTFS),
+# that were not matched by any specific injector.
+#
+elif [ -x /opt/drivebadger/injectors/$fs/injector.sh ]; then
+	echo /opt/drivebadger/injectors/$fs/injector.sh
+fi

src/get-partition-drive.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+partition=$1
+
+if [[ $partition =~ ^dm ]] || [[ $partition =~ ^md ]]; then
+	echo $partition  # is it enough to properly support various RAID types?
+elif [[ $partition =~ ^mmc ]] || [[ $partition =~ ^nvme ]]; then
+	echo $partition |cut -dp -f1
+else
+	echo $partition |sed 's/[0-9]//g'  # sdx or sdxy
+fi

src/get-partition-fs-type.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+partition=$1
+directory=$2
+
+if [ ! -f $directory/$partition.txt ]; then
+	udevadm info --query=all --name=/dev/$partition >$directory/$partition.txt
+fi
+
+grep ID_FS_TYPE $directory/$partition.txt |cut -d'=' -f2

src/get-ptp-device-name.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PORT=$1
+FILE=$2
+
+gphoto2 --summary --port $PORT 2>/dev/null >$FILE
+
+# data transfer from other PTP device in progress
+if grep -q '^For debugging messages' $FILE; then
+	rm -f $FILE
+	exit 0
+fi
+
+if grep -q ^Manufacturer: $FILE; then
+	vendor=`grep ^Manufacturer: $FILE |cut -d: -f2 |tr -d '[:space:]'`
+	model=`grep ^Model: $FILE |cut -d: -f2 |tr -d '[:space:]'`
+	serial=`grep 'Serial Number:' $FILE |cut -d: -f2 |tr -d '[:space:]'`
+	echo "${vendor}_${model}_${serial}_PTP" |tr ',' '-' |tr -d '.()'
+else
+	gphoto2 --abilities --port $PORT 2>/dev/null |grep -v MTP |grep ^Abilities |cut -d: -f2 |sed -e 's/^[[:space:]]*//' -e 's/ /_/g'
+fi

src/get-raw-device.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+device=$1
+
+if [ "$device" != "" ]; then
+	dm=`readlink $device`
+
+	if [ "$dm" != "" ]; then  # eg. /dev/mapper/sdb3 -> /dev/dm-0 -> echo dm-0
+		basename $dm
+	else  # /dev/sdb3 -> echo sdb3
+		basename $device
+	fi
+fi

src/get-rsync-exclusion-lists.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+for list in `ls /opt/drivebadger/config/*/exclude.list`; do
+	echo -n " --exclude-from=$list"
+done
+
+for script in `ls /opt/drivebadger/hooks/*/exclude.sh 2>/dev/null`; do
+	$script $1
+done

src/get-udev-unrecognized-devices.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+recognized=`ls -l /dev/disk/by-uuid |grep -v ^total |rev |cut -d'/' -f1 |rev |sort |tr '\n' '|' |sed 's/.$//'`
+
+# 1. lsblk shows all drives and partitions, including not mounted
+# - basically all /dev/sd* and /dev/nvme* devices + some other, not
+# interesting entries (loop devices, LUKS encrypted volumes etc.)
+#
+# 2. grep " 0 part" leaves just partitions (UUID and non-UUID ones)
+#
+# 3. now filter out all partitions smaller than 1G - the intention
+# is to remove Microsoft Reserved Partitions, that look like
+# possibly encrypted, and trigger VeraCrypt key search, while
+# not having any useful data
+#
+# https://en.wikipedia.org/wiki/Microsoft_Reserved_Partition
+#
+# this possibly removes also other (UUID) partitions smaller than 1G,
+# but at this stage we are interested only in non-UUID ones, while
+# UUID partitions are already processed, and are removed below
+
+lsblk |grep " 0 part" |egrep -v "(K|M)  0 part" |tr -d '─├└' |cut -d' ' -f1 |egrep -v "($recognized)"
+
+
+# TODO: filter out LUKS-encrypted Linux swap partitions:
+# https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption
+#
+# these are tricky, since:
+# - they can have any size
+# - they HAVE UUID while initialized and attached as swap at current system run
+# - they have different UUID after each reboot
+# - they no longer have UUID (and are totally unrecognized) after removing
+#   them from /etc/crypttab and reboot

src/list-mtp-devices.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+jmtpfs -l 2>/dev/null |grep -v ^Available |grep -v ^Device |sort |uniq |while read line; do
+	BUS=`echo "$line" |cut -d, -f1 |tr -d '[:space:]'`
+	DEV=`echo "$line" |cut -d, -f2 |tr -d '[:space:]'`
+
+	vendor=`echo "$line" |cut -d, -f6 |tr -d '[:space:]'`
+	model=`echo "$line" |cut -d, -f5 |cut -d'(' -f1 |sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]$//' -e 's/ /_/g'`
+
+	echo "${vendor}_${model}_MTP:$BUS,$DEV"
+done

src/list-ptp-ports.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+gphoto2 --auto-detect |grep usb: |cut -d: -f2 |sed -e "s/^/usb:/"

src/luks.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+target_root_directory=$1
+target_directory=$2
+keys_directory=$3
+drive_serial=$4
+current_partition=$5
+uuid=$6
+
+
+logger "attempting to decrypt LUKS encrypted partition $current_partition"
+mountpoint=/media/$current_partition/mnt
+subtarget=$target_directory/$drive_serial/${current_partition}_luks
+mkdir -p $mountpoint $subtarget
+
+injector=`/opt/drivebadger/internal/generic/get-injector-script.sh luks $drive_serial $uuid`
+
+for recovery_key in `/opt/drivebadger/internal/generic/keys/get-drive-encryption-keys.sh luks $keys_directory $drive_serial`; do
+	echo "$recovery_key" |cryptsetup -q luksOpen /dev/$current_partition luks_$current_partition 2>>$subtarget/rsync.err
+	if [ -e /dev/mapper/luks_$current_partition ]; then
+
+		echo $recovery_key >$subtarget/luks.key
+		/opt/drivebadger/internal/generic/keys/save-drive-encryption-key.sh luks $keys_directory $drive_serial $recovery_key
+
+		mount -o ro /dev/mapper/luks_$current_partition $mountpoint >>$subtarget/rsync.log 2>>$subtarget/rsync.err
+		/opt/drivebadger/internal/generic/process-hooks.sh $mountpoint $target_root_directory
+
+		logger "copying UUID=$uuid (partition $current_partition filesystem LUKS, mounted as $mountpoint, target directory $subtarget)"
+		/opt/drivebadger/internal/generic/rsync-partition.sh $mountpoint $subtarget >>$subtarget/rsync.log 2>>$subtarget/rsync.err
+		umount $mountpoint
+		logger "copied UUID=$uuid"
+
+		if [ "$injector" != "" ]; then
+			logger "attempting to inject UUID=$uuid (partition $current_partition filesystem LUKS, mounted as $mountpoint, injector $injector)"
+			if mount -o rw /dev/mapper/luks_$current_partition $mountpoint >>$subtarget/injector.log 2>>$subtarget/injector.err; then
+				$injector $mountpoint >>$subtarget/injector.log 2>>$subtarget/injector.err
+				umount $mountpoint
+				logger "injected UUID=$uuid"
+			fi
+		fi
+
+		cryptsetup luksClose luks_$current_partition
+		break
+	fi
+done

src/mount-apfs-filesystem.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+keys_directory=$1
+drive_serial=$2
+device=$3
+slice=$4
+mountpoint=$5
+subtarget=$6
+
+if fsapfsmount -f $slice $device $mountpoint; then
+	exit 0
+fi
+
+for recovery_key in `/opt/drivebadger/internal/generic/keys/get-drive-encryption-keys.sh apfs $keys_directory $drive_serial`; do
+	if fsapfsmount -f $slice -p$recovery_key $device $mountpoint; then
+		echo $recovery_key >$subtarget/apfs.key
+		/opt/drivebadger/internal/generic/keys/save-drive-encryption-key.sh apfs $keys_directory $drive_serial $recovery_key
+		exit 0
+	fi
+done
+
+exit 1

src/plain.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+target_root_directory=$1
+target_directory=$2
+keys_directory=$3
+drive_serial=$4
+current_partition=$5
+uuid=$6
+fs=$7
+
+
+mountpoint=/media/$current_partition/mnt
+subtarget=$target_directory/$drive_serial/${current_partition}_${fs}
+mkdir -p $mountpoint $subtarget
+
+injector=`/opt/drivebadger/internal/generic/get-injector-script.sh $fs $drive_serial $uuid`
+
+if mount -t $fs -o ro /dev/$current_partition $mountpoint >>$subtarget/rsync.log 2>>$subtarget/rsync.err; then
+	/opt/drivebadger/internal/generic/process-hooks.sh $mountpoint $target_root_directory
+
+	logger "copying UUID=$uuid (partition $current_partition filesystem $fs, mounted as $mountpoint, target directory $subtarget)"
+	/opt/drivebadger/internal/generic/rsync-partition.sh $mountpoint $subtarget >>$subtarget/rsync.log 2>>$subtarget/rsync.err
+	logger "copied UUID=$uuid"
+
+	if [ "$injector" != "" ]; then
+		logger "attempting to inject UUID=$uuid (partition $current_partition filesystem $fs, mounted as $mountpoint, injector $injector)"
+		if mount -t $fs -o remount,rw /dev/$current_partition $mountpoint >>$subtarget/injector.log 2>>$subtarget/injector.err; then
+			$injector $mountpoint >>$subtarget/injector.log 2>>$subtarget/injector.err
+			logger "injected UUID=$uuid"
+		fi
+	fi
+
+	# hook-virtual uses task spooler to queue exfiltration of VHD/VHDX containers stored
+	# on plain NTFS, on Hyper-V servers - if such tasks for this particular partition are
+	# in progress (or still queued), do not unmount, since it would make these containers
+	# inaccessible.
+	#
+	# if this is not Hyper-V (or any other NTFS), or no VHD/VHDX containers were found,
+	# then simply unmount and forget.
+	#
+	if [ "`ps aux |grep \"tsp /opt/drivebadger\" |grep $mountpoint`" = "" ]; then
+		umount $mountpoint
+	fi
+else
+	logger "error mounting UUID=$uuid (partition $current_partition filesystem $fs, attempted mount as $mountpoint, target directory $subtarget)"
+fi