private void SelfCheckIndex(File file, string name) { ReportInfo("About to self-check index {0} in file {1} (MFT:{2})", name, file.BestName, file.IndexInMft); IndexRoot root = file.GetStream(AttributeType.IndexRoot, name).GetContent <IndexRoot>(); byte[] rootBuffer; using (Stream s = file.OpenStream(AttributeType.IndexRoot, name, FileAccess.Read)) { rootBuffer = Utilities.ReadFully(s, (int)s.Length); } Bitmap indexBitmap = null; if (file.GetStream(AttributeType.Bitmap, name) != null) { indexBitmap = new Bitmap(file.OpenStream(AttributeType.Bitmap, name, FileAccess.Read), long.MaxValue); } if (!SelfCheckIndexNode(rootBuffer, IndexRoot.HeaderOffset, indexBitmap, root, file.BestName, name)) { ReportError("Index {0} in file {1} (MFT:{2}) has corrupt IndexRoot attribute", name, file.BestName, file.IndexInMft); } else { ReportInfo("Self-check of index {0} in file {1} (MFT:{2}) complete", name, file.BestName, file.IndexInMft); } }
public Index(File file, string name, BiosParameterBlock bpb, UpperCase upCase) { _file = file; _name = name; _bpb = bpb; _isFileIndex = name == "$I30"; _blockCache = new ObjectCache<long, IndexBlock>(); _root = _file.GetStream(AttributeType.IndexRoot, _name).GetContent<IndexRoot>(); _comparer = _root.GetCollator(upCase); using (Stream s = _file.OpenStream(AttributeType.IndexRoot, _name, FileAccess.Read)) { byte[] buffer = Utilities.ReadFully(s, (int)s.Length); _rootNode = new IndexNode(WriteRootNodeToDisk, 0, this, true, buffer, IndexRoot.HeaderOffset); // Give the attribute some room to breathe, so long as it doesn't squeeze others out // BROKEN, BROKEN, BROKEN - how to figure this out? Query at the point of adding entries to the root node? _rootNode.TotalSpaceAvailable += _file.MftRecordFreeSpace(AttributeType.IndexRoot, _name) - 100; } if (_file.StreamExists(AttributeType.IndexAllocation, _name)) { _indexStream = _file.OpenStream(AttributeType.IndexAllocation, _name, FileAccess.ReadWrite); } if (_file.StreamExists(AttributeType.Bitmap, _name)) { _indexBitmap = new Bitmap(_file.OpenStream(AttributeType.Bitmap, _name, FileAccess.ReadWrite), long.MaxValue); } }
public Index(File file, string name, BiosParameterBlock bpb, UpperCase upCase) { _file = file; _name = name; _bpb = bpb; IsFileIndex = name == "$I30"; _blockCache = new ObjectCache <long, IndexBlock>(); _root = _file.GetStream(AttributeType.IndexRoot, _name).GetContent <IndexRoot>(); _comparer = _root.GetCollator(upCase); using (Stream s = _file.OpenStream(AttributeType.IndexRoot, _name, FileAccess.Read)) { byte[] buffer = Utilities.ReadFully(s, (int)s.Length); _rootNode = new IndexNode(WriteRootNodeToDisk, 0, this, true, buffer, IndexRoot.HeaderOffset); // Give the attribute some room to breathe, so long as it doesn't squeeze others out // BROKEN, BROKEN, BROKEN - how to figure this out? Query at the point of adding entries to the root node? _rootNode.TotalSpaceAvailable += _file.MftRecordFreeSpace(AttributeType.IndexRoot, _name) - 100; } if (_file.StreamExists(AttributeType.IndexAllocation, _name)) { AllocationStream = _file.OpenStream(AttributeType.IndexAllocation, _name, FileAccess.ReadWrite); } if (_file.StreamExists(AttributeType.Bitmap, _name)) { _indexBitmap = new Bitmap(_file.OpenStream(AttributeType.Bitmap, _name, FileAccess.ReadWrite), long.MaxValue); } }
public void Initialize(File file) { _self = file; if (_recordStream != null) { _recordStream.Dispose(); } NtfsStream bitmapStream = _self.GetStream(AttributeType.Bitmap, null); _bitmap = new Bitmap(bitmapStream.Open(FileAccess.ReadWrite), long.MaxValue); NtfsStream recordsStream = _self.GetStream(AttributeType.Data, null); _recordStream = recordsStream.Open(FileAccess.ReadWrite); }
private void VerifyDirectories() { foreach (FileRecord fr in _context.Mft.Records) { if (fr.BaseFile.Value != 0) { continue; } File f = new File(_context, fr); foreach (var stream in f.AllStreams) { if (stream.AttributeType == AttributeType.IndexRoot && stream.Name == "$I30") { IndexView <FileNameRecord, FileRecordReference> dir = new IndexView <FileNameRecord, FileRecordReference>(f.GetIndex("$I30")); foreach (var entry in dir.Entries) { FileRecord refFile = _context.Mft.GetRecord(entry.Value); // Make sure each referenced file actually exists... if (refFile == null) { ReportError("Directory {0} references non-existent file {1}", f, entry.Key); } File referencedFile = new File(_context, refFile); StandardInformation si = referencedFile.GetStream(AttributeType.StandardInformation, null).GetContent <StandardInformation>(); if (si.CreationTime != entry.Key.CreationTime || si.MftChangedTime != entry.Key.MftChangedTime || si.ModificationTime != entry.Key.ModificationTime) { ReportInfo("Directory entry {0} in {1} is out of date", entry.Key, f); } } } } } }
public NtfsFileSystem Format(Stream stream) { _context = new NtfsContext(); _context.Options = new NtfsOptions(); _context.RawStream = stream; _context.AttributeDefinitions = new AttributeDefinitions(); string localAdminString = (ComputerAccount == null) ? "LA" : new SecurityIdentifier(WellKnownSidType.AccountAdministratorSid, ComputerAccount).ToString(); using (new NtfsTransaction()) { _clusterSize = 4096; _mftRecordSize = 1024; _indexBufferSize = 4096; long totalClusters = ((SectorCount - 1) * Sizes.Sector) / _clusterSize; // Allocate a minimum of 8KB for the boot loader, but allow for more int numBootClusters = Utilities.Ceil(Math.Max((int)(8 * Sizes.OneKiB), BootCode == null ? 0 : BootCode.Length), _clusterSize); // Place MFT mirror in the middle of the volume _mftMirrorCluster = totalClusters / 2; uint numMftMirrorClusters = 1; // The bitmap is also near the middle _bitmapCluster = _mftMirrorCluster + 13; int numBitmapClusters = (int)Utilities.Ceil((totalClusters / 8), _clusterSize); // The MFT bitmap goes 'near' the start - approx 10% in - but ensure we avoid the bootloader long mftBitmapCluster = Math.Max(3 + (totalClusters / 10), numBootClusters); int numMftBitmapClusters = 1; // The MFT follows it's bitmap _mftCluster = mftBitmapCluster + numMftBitmapClusters; int numMftClusters = 8; if (_mftCluster + numMftClusters > _mftMirrorCluster || _bitmapCluster + numBitmapClusters >= totalClusters) { throw new IOException("Unable to determine initial layout of NTFS metadata - disk may be too small"); } CreateBiosParameterBlock(stream, numBootClusters * _clusterSize); _context.Mft = new MasterFileTable(_context); File mftFile = _context.Mft.InitializeNew(_context, mftBitmapCluster, (ulong)numMftBitmapClusters, (long)_mftCluster, (ulong)numMftClusters); File bitmapFile = CreateFixedSystemFile(MasterFileTable.BitmapIndex, _bitmapCluster, (ulong)numBitmapClusters, true); _context.ClusterBitmap = new ClusterBitmap(bitmapFile); _context.ClusterBitmap.MarkAllocated(0, numBootClusters); _context.ClusterBitmap.MarkAllocated(_bitmapCluster, numBitmapClusters); _context.ClusterBitmap.MarkAllocated(mftBitmapCluster, numMftBitmapClusters); _context.ClusterBitmap.MarkAllocated(_mftCluster, numMftClusters); _context.ClusterBitmap.SetTotalClusters(totalClusters); bitmapFile.UpdateRecordInMft(); File mftMirrorFile = CreateFixedSystemFile(MasterFileTable.MftMirrorIndex, _mftMirrorCluster, numMftMirrorClusters, true); File logFile = CreateSystemFile(MasterFileTable.LogFileIndex); using (Stream s = logFile.OpenStream(AttributeType.Data, null, FileAccess.ReadWrite)) { s.SetLength(Math.Min(Math.Max(2 * Sizes.OneMiB, (totalClusters / 500) * (long)_clusterSize), 64 * Sizes.OneMiB)); byte[] buffer = new byte[1024 * 1024]; for (int i = 0; i < buffer.Length; ++i) { buffer[i] = 0xFF; } long totalWritten = 0; while (totalWritten < s.Length) { int toWrite = (int)Math.Min(s.Length - totalWritten, buffer.Length); s.Write(buffer, 0, toWrite); totalWritten += toWrite; } } File volumeFile = CreateSystemFile(MasterFileTable.VolumeIndex); NtfsStream volNameStream = volumeFile.CreateStream(AttributeType.VolumeName, null); volNameStream.SetContent(new VolumeName(Label ?? "New Volume")); NtfsStream volInfoStream = volumeFile.CreateStream(AttributeType.VolumeInformation, null); volInfoStream.SetContent(new VolumeInformation(3, 1, VolumeInformationFlags.None)); SetSecurityAttribute(volumeFile, "O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"); volumeFile.UpdateRecordInMft(); _context.GetFileByIndex = delegate(long index) { return(new File(_context, _context.Mft.GetRecord(index, false))); }; _context.AllocateFile = delegate(FileRecordFlags frf) { return(new File(_context, _context.Mft.AllocateRecord(frf, false))); }; File attrDefFile = CreateSystemFile(MasterFileTable.AttrDefIndex); _context.AttributeDefinitions.WriteTo(attrDefFile); SetSecurityAttribute(attrDefFile, "O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"); attrDefFile.UpdateRecordInMft(); File bootFile = CreateFixedSystemFile(MasterFileTable.BootIndex, 0, (uint)numBootClusters, false); SetSecurityAttribute(bootFile, "O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"); bootFile.UpdateRecordInMft(); File badClusFile = CreateSystemFile(MasterFileTable.BadClusIndex); badClusFile.CreateStream(AttributeType.Data, "$Bad"); badClusFile.UpdateRecordInMft(); File secureFile = CreateSystemFile(MasterFileTable.SecureIndex, FileRecordFlags.HasViewIndex); secureFile.RemoveStream(secureFile.GetStream(AttributeType.Data, null)); _context.SecurityDescriptors = SecurityDescriptors.Initialize(secureFile); secureFile.UpdateRecordInMft(); File upcaseFile = CreateSystemFile(MasterFileTable.UpCaseIndex); _context.UpperCase = UpperCase.Initialize(upcaseFile); upcaseFile.UpdateRecordInMft(); File objIdFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None); objIdFile.RemoveStream(objIdFile.GetStream(AttributeType.Data, null)); objIdFile.CreateIndex("$O", (AttributeType)0, AttributeCollationRule.MultipleUnsignedLongs); objIdFile.UpdateRecordInMft(); File reparseFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None); reparseFile.CreateIndex("$R", (AttributeType)0, AttributeCollationRule.MultipleUnsignedLongs); reparseFile.UpdateRecordInMft(); File quotaFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None); Quotas.Initialize(quotaFile); Directory extendDir = CreateSystemDirectory(MasterFileTable.ExtendIndex); extendDir.AddEntry(objIdFile, "$ObjId", FileNameNamespace.Win32AndDos); extendDir.AddEntry(reparseFile, "$Reparse", FileNameNamespace.Win32AndDos); extendDir.AddEntry(quotaFile, "$Quota", FileNameNamespace.Win32AndDos); extendDir.UpdateRecordInMft(); Directory rootDir = CreateSystemDirectory(MasterFileTable.RootDirIndex); rootDir.AddEntry(mftFile, "$MFT", FileNameNamespace.Win32AndDos); rootDir.AddEntry(mftMirrorFile, "$MFTMirr", FileNameNamespace.Win32AndDos); rootDir.AddEntry(logFile, "$LogFile", FileNameNamespace.Win32AndDos); rootDir.AddEntry(volumeFile, "$Volume", FileNameNamespace.Win32AndDos); rootDir.AddEntry(attrDefFile, "$AttrDef", FileNameNamespace.Win32AndDos); rootDir.AddEntry(rootDir, ".", FileNameNamespace.Win32AndDos); rootDir.AddEntry(bitmapFile, "$Bitmap", FileNameNamespace.Win32AndDos); rootDir.AddEntry(bootFile, "$Boot", FileNameNamespace.Win32AndDos); rootDir.AddEntry(badClusFile, "$BadClus", FileNameNamespace.Win32AndDos); rootDir.AddEntry(secureFile, "$Secure", FileNameNamespace.Win32AndDos); rootDir.AddEntry(upcaseFile, "$UpCase", FileNameNamespace.Win32AndDos); rootDir.AddEntry(extendDir, "$Extend", FileNameNamespace.Win32AndDos); SetSecurityAttribute(rootDir, "O:" + localAdminString + "G:BUD:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CIIO;DC;;;BU)(A;;0x1200a9;;;WD)"); rootDir.UpdateRecordInMft(); // A number of records are effectively 'reserved' for (long i = MasterFileTable.ExtendIndex + 1; i <= 15; i++) { File f = CreateSystemFile(i); SetSecurityAttribute(f, "O:S-1-5-21-1708537768-746137067-1060284298-1003G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"); f.UpdateRecordInMft(); } } // XP-style security permissions setup NtfsFileSystem ntfs = new NtfsFileSystem(stream); ntfs.SetSecurity(@"$MFT", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$MFTMirr", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$LogFile", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$Bitmap", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$BadClus", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$UpCase", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)")); ntfs.SetSecurity(@"$Secure", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)")); ntfs.SetSecurity(@"$Extend", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)")); ntfs.SetSecurity(@"$Extend\$Quota", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)")); ntfs.SetSecurity(@"$Extend\$ObjId", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)")); ntfs.SetSecurity(@"$Extend\$Reparse", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)")); ntfs.CreateDirectory("System Volume Information"); ntfs.SetAttributes("System Volume Information", FileAttributes.Hidden | FileAttributes.System | FileAttributes.Directory); ntfs.SetSecurity("System Volume Information", new RawSecurityDescriptor("O:BAG:SYD:(A;OICI;FA;;;SY)")); using (Stream s = ntfs.OpenFile(@"System Volume Information\MountPointManagerRemoteDatabase", FileMode.Create)) { } ntfs.SetAttributes(@"System Volume Information\MountPointManagerRemoteDatabase", FileAttributes.Hidden | FileAttributes.System | FileAttributes.Archive); ntfs.SetSecurity(@"System Volume Information\MountPointManagerRemoteDatabase", new RawSecurityDescriptor("O:BAG:SYD:(A;;FA;;;SY)")); return(ntfs); }
private void DoSetSecurity(File file, RawSecurityDescriptor securityDescriptor) { NtfsStream legacyStream = file.GetStream(AttributeType.SecurityDescriptor, null); if (legacyStream != null) { SecurityDescriptor sd = new SecurityDescriptor(); sd.Descriptor = securityDescriptor; legacyStream.SetContent(sd); } else { uint id = _context.SecurityDescriptors.AddDescriptor(securityDescriptor); // Update the standard information attribute - so it reflects the actual file state NtfsStream stream = file.GetStream(AttributeType.StandardInformation, null); StandardInformation si = stream.GetContent<StandardInformation>(); si.SecurityId = id; stream.SetContent(si); // Write attribute changes back to the Master File Table file.UpdateRecordInMft(); } }
private RawSecurityDescriptor DoGetSecurity(File file) { NtfsStream legacyStream = file.GetStream(AttributeType.SecurityDescriptor, null); if (legacyStream != null) { return legacyStream.GetContent<SecurityDescriptor>().Descriptor; } StandardInformation si = file.StandardInformation; return _context.SecurityDescriptors.GetDescriptorById(si.SecurityId); }
private void RemoveReparsePoint(File file) { NtfsStream stream = file.GetStream(AttributeType.ReparsePoint, null); if (stream != null) { ReparsePointRecord rp = new ReparsePointRecord(); using (Stream contentStream = stream.Open(FileAccess.Read)) { byte[] buffer = Utilities.ReadFully(contentStream, (int)contentStream.Length); rp.ReadFrom(buffer, 0); } file.RemoveStream(stream); // Update the standard information attribute - so it reflects the actual file state NtfsStream stdInfoStream = file.GetStream(AttributeType.StandardInformation, null); StandardInformation si = stdInfoStream.GetContent<StandardInformation>(); si.FileAttributes = si.FileAttributes & ~FileAttributeFlags.ReparsePoint; stdInfoStream.SetContent(si); // Remove the reparse point from the index _context.ReparsePoints.Remove(rp.Tag, file.MftReference); } }
private static void UpdateStandardInformation(DirectoryEntry dirEntry, File file, StandardInformationModifier modifier) { // Update the standard information attribute - so it reflects the actual file state NtfsStream stream = file.GetStream(AttributeType.StandardInformation, null); StandardInformation si = stream.GetContent<StandardInformation>(); modifier(si); stream.SetContent(si); // Update the directory entry used to open the file, so it's accurate dirEntry.UpdateFrom(file); // Write attribute changes back to the Master File Table file.UpdateRecordInMft(); }
public void Initialize(File file) { _self = file; if (_recordStream != null) { _recordStream.Dispose(); } NtfsStream bitmapStream = _self.GetStream(AttributeType.Bitmap, null); _bitmap = new Bitmap(bitmapStream.Open(FileAccess.ReadWrite), long.MaxValue); NtfsStream recordsStream = _self.GetStream(AttributeType.Data, null); _recordStream = recordsStream.Open(FileAccess.ReadWrite); }
private void SelfCheckIndex(File file, string name) { ReportInfo("About to self-check index {0} in file {1} (MFT:{2})", name, file.BestName, file.IndexInMft); IndexRoot root = file.GetStream(AttributeType.IndexRoot, name).GetContent<IndexRoot>(); byte[] rootBuffer; using (Stream s = file.OpenStream(AttributeType.IndexRoot, name, FileAccess.Read)) { rootBuffer = Utilities.ReadFully(s, (int)s.Length); } Bitmap indexBitmap = null; if (file.GetStream(AttributeType.Bitmap, name) != null) { indexBitmap = new Bitmap(file.OpenStream(AttributeType.Bitmap, name, FileAccess.Read), long.MaxValue); } if (!SelfCheckIndexNode(rootBuffer, IndexRoot.HeaderOffset, indexBitmap, root, file.BestName, name)) { ReportError("Index {0} in file {1} (MFT:{2}) has corrupt IndexRoot attribute", name, file.BestName, file.IndexInMft); } else { ReportInfo("Self-check of index {0} in file {1} (MFT:{2}) complete", name, file.BestName, file.IndexInMft); } }
private void VerifyDirectories() { foreach (FileRecord fr in _context.Mft.Records) { if (fr.BaseFile.Value != 0) { continue; } File f = new File(_context, fr); foreach (var stream in f.AllStreams) { if (stream.AttributeType == AttributeType.IndexRoot && stream.Name == "$I30") { IndexView<FileNameRecord, FileRecordReference> dir = new IndexView<FileNameRecord, FileRecordReference>(f.GetIndex("$I30")); foreach (var entry in dir.Entries) { FileRecord refFile = _context.Mft.GetRecord(entry.Value); // Make sure each referenced file actually exists... if (refFile == null) { ReportError("Directory {0} references non-existent file {1}", f, entry.Key); } File referencedFile = new File(_context, refFile); StandardInformation si = referencedFile.GetStream(AttributeType.StandardInformation, null).GetContent<StandardInformation>(); if (si.CreationTime != entry.Key.CreationTime || si.MftChangedTime != entry.Key.MftChangedTime || si.ModificationTime != entry.Key.ModificationTime) { ReportInfo("Directory entry {0} in {1} is out of date", entry.Key, f); } } } } } }