protected override void GetItem(string path)
{
if (GetDrive() == null)
{
return;
}
string normalized_path = NormalizePath(path);
if (_item_cache.ContainsKey(normalized_path))
{
ObjectDirectoryEntry entry = _item_cache[normalized_path];
WriteItemObject(entry, path, entry.IsDirectory);
}
else
{
using (NtDirectory dir = GetPathDirectory(path))
{
ObjectDirectoryInformation dir_info = GetEntry(dir, path);
if (dir_info != null)
{
WriteItemObject(new ObjectDirectoryEntry(GetDrive().DirectoryRoot, normalized_path, dir_info.Name, dir_info.TypeName), path.TrimStart('\\'), dir_info.IsDirectory);
}
}
}
}
private void BuildTree(ulong ptr, int parent)
{
ObjectDirectoryEntry objectDirectoryEntry = new ObjectDirectoryEntry(_profile, _dataProvider, virtualAddress: ptr);
//uint objectDirectoryEntrySize = (uint)_profile.GetStructureSize("_OBJECT_DIRECTORY_ENTRY");
//var dll = _profile.GetStructureAssembly("_OBJECT_DIRECTORY_ENTRY");
//Type t = dll.GetType("liveforensics.OBJECT_DIRECTORY_ENTRY");
//byte[] buffer = _dataProvider.ReadMemoryBlock(ptr, _objectMap.ObjectDirectoryEntrySize);
//GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned);
//objectDirectoryEntry = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0), t);
//pinnedPacket.Free();
ulong addr = (objectDirectoryEntry.Members.Object - _objectMap.ObjectHeaderSize) & 0xffffffffffff;
ObjectHeader oh = new ObjectHeader(_profile, _dataProvider, addr);
string name = _profile.GetObjectName(oh.TypeInfo);
int index = _index++;
if (name == "Directory")
{
ProcessDirectory(objectDirectoryEntry.Members.Object & 0xffffffffffff, index);
}
//if (oh.HeaderNameInfo != null)
// name += ("\t" + oh.HeaderNameInfo.Name);
//Debug.WriteLine("[" + parent + "][" + index + "]" + addr.ToString("X08") + " (0x" + oh.PhysicalAddress.ToString("X08") + ")(p)\t" + name);
_objectMap.ObjectTreeRecords.Add(new ObjectTreeRecord()
{
ObjectHeaderVirtualAddress = addr, Parent = parent, Index = index
});
ulong chainlinkPtr = (objectDirectoryEntry.Members.ChainLink) & 0xffffffffffff;
if (chainlinkPtr != 0)
{
BuildTree(chainlinkPtr, parent);
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
return(ObjectNamespace.ReadSymlink(entry.FullPath));
}
catch (System.ComponentModel.Win32Exception)
{
return("");
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
return ObjectNamespace.ReadSymlink(entry.FullPath);
}
catch (System.ComponentModel.Win32Exception)
{
return "";
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
return(ObjectNamespace.ReadSymlink(entry.FullPath));
}
catch (NtException)
{
return("");
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null))
{
return(link.Target);
}
}
catch (NtException)
{
return("");
}
}
private void AddMatches(NtDirectory root, string base_path, IEnumerable<string> remaining, List<string> matches)
{
string current_entry = remaining.First();
bool is_leaf = remaining.Count() == 1;
List<ObjectDirectoryInformation> matching_entries = new List<ObjectDirectoryInformation>();
if (root.IsAccessGranted(DirectoryAccessRights.Query))
{
// If this is not a leaf point we don't care about non-directory entries.
ObjectDirectoryInformation[] dir_infos = root.Query().Where(d => is_leaf || d.IsDirectory).ToArray();
foreach (ObjectDirectoryInformation dir_info in dir_infos)
{
if (dir_info.Name.Equals(current_entry, StringComparison.OrdinalIgnoreCase))
{
matching_entries.Add(dir_info);
break;
}
}
// If we didn't find an explicit match then see if it's a glob.
if (matching_entries.Count == 0 && HasGlobChars(current_entry))
{
Regex globber = GlobToRegex(current_entry, false);
foreach (ObjectDirectoryInformation dir_info in dir_infos)
{
if (globber.IsMatch(dir_info.Name))
{
matching_entries.Add(dir_info);
}
}
}
}
// Nothing matched.
if (matching_entries.Count == 0)
{
return;
}
// We've reached the end of the road.
if (is_leaf)
{
foreach (ObjectDirectoryInformation dir_info in matching_entries)
{
string full_path = base_path + dir_info.Name;
_item_cache[full_path] = new ObjectDirectoryEntry(GetDrive().DirectoryRoot, NormalizePath(full_path), dir_info.Name, dir_info.TypeName);
matches.Add(full_path);
}
}
else
{
foreach (ObjectDirectoryInformation entry in matching_entries)
{
try
{
using (NtDirectory dir = NtDirectory.Open(entry.Name, root, DirectoryAccessRights.Query))
{
AddMatches(dir, base_path + entry.Name + @"\", remaining.Skip(1), matches);
}
}
catch (NtException)
{
}
}
}
}
static string GetSymlinkTarget(ObjectDirectoryEntry entry)
{
try
{
using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null))
{
return link.Target;
}
}
catch (NtException)
{
return "";
}
}
private void AddMatches(NtDirectory root, string base_path, IEnumerable <string> remaining, List <string> matches)
{
string current_entry = remaining.First();
bool is_leaf = remaining.Count() == 1;
List <ObjectDirectoryInformation> matching_entries = new List <ObjectDirectoryInformation>();
if (root.IsAccessGranted(DirectoryAccessRights.Query))
{
// If this is not a leaf point we don't care about non-directory entries.
ObjectDirectoryInformation[] dir_infos = root.Query().Where(d => is_leaf || d.IsDirectory).ToArray();
foreach (ObjectDirectoryInformation dir_info in dir_infos)
{
if (dir_info.Name.Equals(current_entry, StringComparison.OrdinalIgnoreCase))
{
matching_entries.Add(dir_info);
break;
}
}
// If we didn't find an explicit match then see if it's a glob.
if (matching_entries.Count == 0 && HasGlobChars(current_entry))
{
Regex globber = GlobToRegex(current_entry, false);
foreach (ObjectDirectoryInformation dir_info in dir_infos)
{
if (globber.IsMatch(dir_info.Name))
{
matching_entries.Add(dir_info);
}
}
}
}
// Nothing matched.
if (matching_entries.Count == 0)
{
return;
}
// We've reached the end of the road.
if (is_leaf)
{
foreach (ObjectDirectoryInformation dir_info in matching_entries)
{
string full_path = base_path + dir_info.Name;
_item_cache[full_path] = new ObjectDirectoryEntry(GetDrive().DirectoryRoot, NormalizePath(full_path), dir_info.Name, dir_info.TypeName);
matches.Add(full_path);
}
}
else
{
foreach (ObjectDirectoryInformation entry in matching_entries)
{
try
{
using (NtDirectory dir = NtDirectory.Open(entry.Name, root, DirectoryAccessRights.Query))
{
AddMatches(dir, base_path + entry.Name + @"\", remaining.Skip(1), matches);
}
}
catch (NtException)
{
}
}
}
}
