Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
File Collection Library
SECRET//NOFORN
Stash Repository: File Collection Library
Interface Description: The interfaces for the File Collection Library are intended to be unilateral.
There exist three file collection interfaces, the second two building off the first, most basic interface. The File Collection library requires use of the Data Packager Library SECRETinterface. The purpose is to make the actual data collection (compression, encryption, IO, storage) more portable and separate from the collection algorithm. All constructors for FileCollection classes want an IDataPackager object. See Data Packager page for more information.
IFileCollectionBase - The base interface for the following two interfaces. It can be the base for any file collection class, but provides for only the most basic file matching, or whatever method the developer wants to implement.
IFileCollection_NoPriority - Provides the definition of a collection parameter that allows for more detailed collection specs base on size, dates, locations, etc.
IFileCollection_Priority - Provides the definition of a collection parameter that allows for more detailed collection specs, but with the addition of a spec priority field.
virtual FileCollectErr Initialize(PWCHAR pszFileSpecs, DWORD dwSpecsBufSize, PWCHAR pszRoot = NULL, void * pParam = NULL) = 0;
Description: Allocates any needed memory and initializes any implementation specific class and member variables.
pszFileSpecs [in]: List of file specs to be used as search criteria. If prioritizing collection, specs must be in order of importance, first to least. May be NULL if user plans on setting criteria later.
dwSpecsBufSize [in]: Size of pszFileSpecs in bytes.
pszRoot [in, opt]: Root directory of search. If NULL, file collection will traverse ALL eligible drives.
pParam [in, opt]: Additional, implementation specific data.
Returns: FileCollectErr
virtual FileCollectErr EnumerateFiles(HANDLE * hEnumerationThread = NULL);
Description: Optional. Traverses files, searching for files that match a predefined search criteria, adding them to an implementation specific list of files, to be collected at a later time. May return immediately in some implementations.
hEnumerationThread [in, opt]: Returns a handle to the background thread used to enumerate files.
Returns: FileCollectErr
virtual FileCollectErr CollectFiles(void * pParam = NULL) = 0;
Description: Collects files via implementation specific algorithm. If using EnumerateFiles(), it will likely only go through a list of paths and feed them to the instance's DataPackager.
pParam [in, opt]: Additional, implantation specific data.
Returns: FileCollectErr
virtual FileCollectErr StopCollection() = 0;
Description: Optional. Provides user with a way to cease collection immediately. Mostly compatible with asynchronous collection.
Returns a FileCollectErr which is described in the Error Code section.
Library Conventions:
Prefix: FC (FileCollector)
File Collection Type: PRI (Prioritized Collection)
Enumerated Files: E
Short one or two word description of method/algorithm used. (Recursive, depth first, anything that is unique.)
Examples:
FC_BasicNonRecursive : File Collection class that uses a non-recursive algorithm to traverse file system. No priority based collection, no file enumeration.
FC_PRI_E_Asynchronous: A file collection class that allows prioritization of collection constraints, and enumerates files using asynchronous methods.
File Collection Member List:
Non-recursive algorithm that inherits from IFileCollectionBase - Class Name: FC_BasicNonRecursive
Error Code Descriptions:
Error codes are compatible with the SUCCEEDED() and FAILED() macros
enum FileCollectErr : int
{
// Success
eFC_SUCCESS = 0, //Successful operation
// Failure
eFC_ERROR_GENERIC = -1, //General error
eFC_ERROR_NOT_SUPPORTED = -2, //Function is not supported/implemented
eFC_ERROR_OUT_OF_MEMORY = -3, //Unable to allocate memory
eFC_ERROR_ROOT_NOT_FOUND = -4, //Given root not found
eFC_ERROR_ROOT_ACCESS_DENIED = -5, //Given root not accessible
eFC_ERROR_ROOT_INVALID = -6, //Given root is an invalid path
eFC_ERROR_BAD_ARG = -7, //Bad arguments
eFC_ERROR_PACKAGER_BUFFER = -8, //Generic DataPackager error regarding buffer
eFC_ERROR_PACKAGER_DATATRANSFER = -9, //Generic DataPackager error regarding transfer
eFC_ERROR_PACKAGER_DEST_FULL = -10, //Destination media for collected files is full.
eFC_ERROR_NO_DATA_PACKAGER = -11, //No DataPackager initialized.
eFC_ERROR_NO_CRITERIA = -12, //No search criteria defined.
eFC_ERROR_OPERATION_ABORTED = -13 //Collection aborted (via Stop function or other means)
};
Code Sample Using The Library Interface:
SECRET//NOFORN