private void SelfCheckIndex(File file, string name)
{
ReportInfo("About to self-check index {0} in file {1} (MFT:{2})", name, file.BestName, file.IndexInMft);
IndexRoot root = file.GetStream(AttributeType.IndexRoot, name).GetContent <IndexRoot>();
byte[] rootBuffer;
using (Stream s = file.OpenStream(AttributeType.IndexRoot, name, FileAccess.Read))
{
rootBuffer = Utilities.ReadFully(s, (int)s.Length);
}
Bitmap indexBitmap = null;
if (file.GetStream(AttributeType.Bitmap, name) != null)
{
indexBitmap = new Bitmap(file.OpenStream(AttributeType.Bitmap, name, FileAccess.Read), long.MaxValue);
}
if (!SelfCheckIndexNode(rootBuffer, IndexRoot.HeaderOffset, indexBitmap, root, file.BestName, name))
{
ReportError("Index {0} in file {1} (MFT:{2}) has corrupt IndexRoot attribute", name, file.BestName, file.IndexInMft);
}
else
{
ReportInfo("Self-check of index {0} in file {1} (MFT:{2}) complete", name, file.BestName, file.IndexInMft);
}
}
public Index(File file, string name, BiosParameterBlock bpb, UpperCase upCase)
{
_file = file;
_name = name;
_bpb = bpb;
_isFileIndex = name == "$I30";
_blockCache = new ObjectCache<long, IndexBlock>();
_root = _file.GetStream(AttributeType.IndexRoot, _name).GetContent<IndexRoot>();
_comparer = _root.GetCollator(upCase);
using (Stream s = _file.OpenStream(AttributeType.IndexRoot, _name, FileAccess.Read))
{
byte[] buffer = Utilities.ReadFully(s, (int)s.Length);
_rootNode = new IndexNode(WriteRootNodeToDisk, 0, this, true, buffer, IndexRoot.HeaderOffset);
// Give the attribute some room to breathe, so long as it doesn't squeeze others out
// BROKEN, BROKEN, BROKEN - how to figure this out? Query at the point of adding entries to the root node?
_rootNode.TotalSpaceAvailable += _file.MftRecordFreeSpace(AttributeType.IndexRoot, _name) - 100;
}
if (_file.StreamExists(AttributeType.IndexAllocation, _name))
{
_indexStream = _file.OpenStream(AttributeType.IndexAllocation, _name, FileAccess.ReadWrite);
}
if (_file.StreamExists(AttributeType.Bitmap, _name))
{
_indexBitmap = new Bitmap(_file.OpenStream(AttributeType.Bitmap, _name, FileAccess.ReadWrite), long.MaxValue);
}
}
public Index(File file, string name, BiosParameterBlock bpb, UpperCase upCase)
{
_file = file;
_name = name;
_bpb = bpb;
IsFileIndex = name == "$I30";
_blockCache = new ObjectCache <long, IndexBlock>();
_root = _file.GetStream(AttributeType.IndexRoot, _name).GetContent <IndexRoot>();
_comparer = _root.GetCollator(upCase);
using (Stream s = _file.OpenStream(AttributeType.IndexRoot, _name, FileAccess.Read))
{
byte[] buffer = Utilities.ReadFully(s, (int)s.Length);
_rootNode = new IndexNode(WriteRootNodeToDisk, 0, this, true, buffer, IndexRoot.HeaderOffset);
// Give the attribute some room to breathe, so long as it doesn't squeeze others out
// BROKEN, BROKEN, BROKEN - how to figure this out? Query at the point of adding entries to the root node?
_rootNode.TotalSpaceAvailable += _file.MftRecordFreeSpace(AttributeType.IndexRoot, _name) - 100;
}
if (_file.StreamExists(AttributeType.IndexAllocation, _name))
{
AllocationStream = _file.OpenStream(AttributeType.IndexAllocation, _name, FileAccess.ReadWrite);
}
if (_file.StreamExists(AttributeType.Bitmap, _name))
{
_indexBitmap = new Bitmap(_file.OpenStream(AttributeType.Bitmap, _name, FileAccess.ReadWrite),
long.MaxValue);
}
}
public void Initialize(File file)
{
_self = file;
if (_recordStream != null)
{
_recordStream.Dispose();
}
NtfsStream bitmapStream = _self.GetStream(AttributeType.Bitmap, null);
_bitmap = new Bitmap(bitmapStream.Open(FileAccess.ReadWrite), long.MaxValue);
NtfsStream recordsStream = _self.GetStream(AttributeType.Data, null);
_recordStream = recordsStream.Open(FileAccess.ReadWrite);
}
private void VerifyDirectories()
{
foreach (FileRecord fr in _context.Mft.Records)
{
if (fr.BaseFile.Value != 0)
{
continue;
}
File f = new File(_context, fr);
foreach (var stream in f.AllStreams)
{
if (stream.AttributeType == AttributeType.IndexRoot && stream.Name == "$I30")
{
IndexView <FileNameRecord, FileRecordReference> dir = new IndexView <FileNameRecord, FileRecordReference>(f.GetIndex("$I30"));
foreach (var entry in dir.Entries)
{
FileRecord refFile = _context.Mft.GetRecord(entry.Value);
// Make sure each referenced file actually exists...
if (refFile == null)
{
ReportError("Directory {0} references non-existent file {1}", f, entry.Key);
}
File referencedFile = new File(_context, refFile);
StandardInformation si = referencedFile.GetStream(AttributeType.StandardInformation, null).GetContent <StandardInformation>();
if (si.CreationTime != entry.Key.CreationTime || si.MftChangedTime != entry.Key.MftChangedTime ||
si.ModificationTime != entry.Key.ModificationTime)
{
ReportInfo("Directory entry {0} in {1} is out of date", entry.Key, f);
}
}
}
}
}
}
public NtfsFileSystem Format(Stream stream)
{
_context = new NtfsContext();
_context.Options = new NtfsOptions();
_context.RawStream = stream;
_context.AttributeDefinitions = new AttributeDefinitions();
string localAdminString = (ComputerAccount == null)
? "LA"
: new SecurityIdentifier(WellKnownSidType.AccountAdministratorSid, ComputerAccount).ToString();
using (new NtfsTransaction())
{
_clusterSize = 4096;
_mftRecordSize = 1024;
_indexBufferSize = 4096;
long totalClusters = ((SectorCount - 1) * Sizes.Sector) / _clusterSize;
// Allocate a minimum of 8KB for the boot loader, but allow for more
int numBootClusters = Utilities.Ceil(Math.Max((int)(8 * Sizes.OneKiB), BootCode == null ? 0 : BootCode.Length), _clusterSize);
// Place MFT mirror in the middle of the volume
_mftMirrorCluster = totalClusters / 2;
uint numMftMirrorClusters = 1;
// The bitmap is also near the middle
_bitmapCluster = _mftMirrorCluster + 13;
int numBitmapClusters = (int)Utilities.Ceil((totalClusters / 8), _clusterSize);
// The MFT bitmap goes 'near' the start - approx 10% in - but ensure we avoid the bootloader
long mftBitmapCluster = Math.Max(3 + (totalClusters / 10), numBootClusters);
int numMftBitmapClusters = 1;
// The MFT follows it's bitmap
_mftCluster = mftBitmapCluster + numMftBitmapClusters;
int numMftClusters = 8;
if (_mftCluster + numMftClusters > _mftMirrorCluster ||
_bitmapCluster + numBitmapClusters >= totalClusters)
{
throw new IOException("Unable to determine initial layout of NTFS metadata - disk may be too small");
}
CreateBiosParameterBlock(stream, numBootClusters * _clusterSize);
_context.Mft = new MasterFileTable(_context);
File mftFile = _context.Mft.InitializeNew(_context, mftBitmapCluster, (ulong)numMftBitmapClusters, (long)_mftCluster, (ulong)numMftClusters);
File bitmapFile = CreateFixedSystemFile(MasterFileTable.BitmapIndex, _bitmapCluster, (ulong)numBitmapClusters, true);
_context.ClusterBitmap = new ClusterBitmap(bitmapFile);
_context.ClusterBitmap.MarkAllocated(0, numBootClusters);
_context.ClusterBitmap.MarkAllocated(_bitmapCluster, numBitmapClusters);
_context.ClusterBitmap.MarkAllocated(mftBitmapCluster, numMftBitmapClusters);
_context.ClusterBitmap.MarkAllocated(_mftCluster, numMftClusters);
_context.ClusterBitmap.SetTotalClusters(totalClusters);
bitmapFile.UpdateRecordInMft();
File mftMirrorFile = CreateFixedSystemFile(MasterFileTable.MftMirrorIndex, _mftMirrorCluster, numMftMirrorClusters, true);
File logFile = CreateSystemFile(MasterFileTable.LogFileIndex);
using (Stream s = logFile.OpenStream(AttributeType.Data, null, FileAccess.ReadWrite))
{
s.SetLength(Math.Min(Math.Max(2 * Sizes.OneMiB, (totalClusters / 500) * (long)_clusterSize), 64 * Sizes.OneMiB));
byte[] buffer = new byte[1024 * 1024];
for (int i = 0; i < buffer.Length; ++i)
{
buffer[i] = 0xFF;
}
long totalWritten = 0;
while (totalWritten < s.Length)
{
int toWrite = (int)Math.Min(s.Length - totalWritten, buffer.Length);
s.Write(buffer, 0, toWrite);
totalWritten += toWrite;
}
}
File volumeFile = CreateSystemFile(MasterFileTable.VolumeIndex);
NtfsStream volNameStream = volumeFile.CreateStream(AttributeType.VolumeName, null);
volNameStream.SetContent(new VolumeName(Label ?? "New Volume"));
NtfsStream volInfoStream = volumeFile.CreateStream(AttributeType.VolumeInformation, null);
volInfoStream.SetContent(new VolumeInformation(3, 1, VolumeInformationFlags.None));
SetSecurityAttribute(volumeFile, "O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)");
volumeFile.UpdateRecordInMft();
_context.GetFileByIndex = delegate(long index) { return(new File(_context, _context.Mft.GetRecord(index, false))); };
_context.AllocateFile = delegate(FileRecordFlags frf) { return(new File(_context, _context.Mft.AllocateRecord(frf, false))); };
File attrDefFile = CreateSystemFile(MasterFileTable.AttrDefIndex);
_context.AttributeDefinitions.WriteTo(attrDefFile);
SetSecurityAttribute(attrDefFile, "O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)");
attrDefFile.UpdateRecordInMft();
File bootFile = CreateFixedSystemFile(MasterFileTable.BootIndex, 0, (uint)numBootClusters, false);
SetSecurityAttribute(bootFile, "O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)");
bootFile.UpdateRecordInMft();
File badClusFile = CreateSystemFile(MasterFileTable.BadClusIndex);
badClusFile.CreateStream(AttributeType.Data, "$Bad");
badClusFile.UpdateRecordInMft();
File secureFile = CreateSystemFile(MasterFileTable.SecureIndex, FileRecordFlags.HasViewIndex);
secureFile.RemoveStream(secureFile.GetStream(AttributeType.Data, null));
_context.SecurityDescriptors = SecurityDescriptors.Initialize(secureFile);
secureFile.UpdateRecordInMft();
File upcaseFile = CreateSystemFile(MasterFileTable.UpCaseIndex);
_context.UpperCase = UpperCase.Initialize(upcaseFile);
upcaseFile.UpdateRecordInMft();
File objIdFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None);
objIdFile.RemoveStream(objIdFile.GetStream(AttributeType.Data, null));
objIdFile.CreateIndex("$O", (AttributeType)0, AttributeCollationRule.MultipleUnsignedLongs);
objIdFile.UpdateRecordInMft();
File reparseFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None);
reparseFile.CreateIndex("$R", (AttributeType)0, AttributeCollationRule.MultipleUnsignedLongs);
reparseFile.UpdateRecordInMft();
File quotaFile = File.CreateNew(_context, FileRecordFlags.IsMetaFile | FileRecordFlags.HasViewIndex, FileAttributeFlags.None);
Quotas.Initialize(quotaFile);
Directory extendDir = CreateSystemDirectory(MasterFileTable.ExtendIndex);
extendDir.AddEntry(objIdFile, "$ObjId", FileNameNamespace.Win32AndDos);
extendDir.AddEntry(reparseFile, "$Reparse", FileNameNamespace.Win32AndDos);
extendDir.AddEntry(quotaFile, "$Quota", FileNameNamespace.Win32AndDos);
extendDir.UpdateRecordInMft();
Directory rootDir = CreateSystemDirectory(MasterFileTable.RootDirIndex);
rootDir.AddEntry(mftFile, "$MFT", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(mftMirrorFile, "$MFTMirr", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(logFile, "$LogFile", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(volumeFile, "$Volume", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(attrDefFile, "$AttrDef", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(rootDir, ".", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(bitmapFile, "$Bitmap", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(bootFile, "$Boot", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(badClusFile, "$BadClus", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(secureFile, "$Secure", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(upcaseFile, "$UpCase", FileNameNamespace.Win32AndDos);
rootDir.AddEntry(extendDir, "$Extend", FileNameNamespace.Win32AndDos);
SetSecurityAttribute(rootDir, "O:" + localAdminString + "G:BUD:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CIIO;DC;;;BU)(A;;0x1200a9;;;WD)");
rootDir.UpdateRecordInMft();
// A number of records are effectively 'reserved'
for (long i = MasterFileTable.ExtendIndex + 1; i <= 15; i++)
{
File f = CreateSystemFile(i);
SetSecurityAttribute(f, "O:S-1-5-21-1708537768-746137067-1060284298-1003G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)");
f.UpdateRecordInMft();
}
}
// XP-style security permissions setup
NtfsFileSystem ntfs = new NtfsFileSystem(stream);
ntfs.SetSecurity(@"$MFT", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$MFTMirr", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$LogFile", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$Bitmap", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$BadClus", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$UpCase", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;FR;;;SY)(A;;FR;;;BA)"));
ntfs.SetSecurity(@"$Secure", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"));
ntfs.SetSecurity(@"$Extend", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"));
ntfs.SetSecurity(@"$Extend\$Quota", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"));
ntfs.SetSecurity(@"$Extend\$ObjId", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"));
ntfs.SetSecurity(@"$Extend\$Reparse", new RawSecurityDescriptor("O:" + localAdminString + "G:BAD:(A;;0x12019f;;;SY)(A;;0x12019f;;;BA)"));
ntfs.CreateDirectory("System Volume Information");
ntfs.SetAttributes("System Volume Information", FileAttributes.Hidden | FileAttributes.System | FileAttributes.Directory);
ntfs.SetSecurity("System Volume Information", new RawSecurityDescriptor("O:BAG:SYD:(A;OICI;FA;;;SY)"));
using (Stream s = ntfs.OpenFile(@"System Volume Information\MountPointManagerRemoteDatabase", FileMode.Create))
{
}
ntfs.SetAttributes(@"System Volume Information\MountPointManagerRemoteDatabase", FileAttributes.Hidden | FileAttributes.System | FileAttributes.Archive);
ntfs.SetSecurity(@"System Volume Information\MountPointManagerRemoteDatabase", new RawSecurityDescriptor("O:BAG:SYD:(A;;FA;;;SY)"));
return(ntfs);
}
private void DoSetSecurity(File file, RawSecurityDescriptor securityDescriptor)
{
NtfsStream legacyStream = file.GetStream(AttributeType.SecurityDescriptor, null);
if (legacyStream != null)
{
SecurityDescriptor sd = new SecurityDescriptor();
sd.Descriptor = securityDescriptor;
legacyStream.SetContent(sd);
}
else
{
uint id = _context.SecurityDescriptors.AddDescriptor(securityDescriptor);
// Update the standard information attribute - so it reflects the actual file state
NtfsStream stream = file.GetStream(AttributeType.StandardInformation, null);
StandardInformation si = stream.GetContent<StandardInformation>();
si.SecurityId = id;
stream.SetContent(si);
// Write attribute changes back to the Master File Table
file.UpdateRecordInMft();
}
}
private RawSecurityDescriptor DoGetSecurity(File file)
{
NtfsStream legacyStream = file.GetStream(AttributeType.SecurityDescriptor, null);
if (legacyStream != null)
{
return legacyStream.GetContent<SecurityDescriptor>().Descriptor;
}
StandardInformation si = file.StandardInformation;
return _context.SecurityDescriptors.GetDescriptorById(si.SecurityId);
}
private void RemoveReparsePoint(File file)
{
NtfsStream stream = file.GetStream(AttributeType.ReparsePoint, null);
if (stream != null)
{
ReparsePointRecord rp = new ReparsePointRecord();
using (Stream contentStream = stream.Open(FileAccess.Read))
{
byte[] buffer = Utilities.ReadFully(contentStream, (int)contentStream.Length);
rp.ReadFrom(buffer, 0);
}
file.RemoveStream(stream);
// Update the standard information attribute - so it reflects the actual file state
NtfsStream stdInfoStream = file.GetStream(AttributeType.StandardInformation, null);
StandardInformation si = stdInfoStream.GetContent<StandardInformation>();
si.FileAttributes = si.FileAttributes & ~FileAttributeFlags.ReparsePoint;
stdInfoStream.SetContent(si);
// Remove the reparse point from the index
_context.ReparsePoints.Remove(rp.Tag, file.MftReference);
}
}
private static void UpdateStandardInformation(DirectoryEntry dirEntry, File file, StandardInformationModifier modifier)
{
// Update the standard information attribute - so it reflects the actual file state
NtfsStream stream = file.GetStream(AttributeType.StandardInformation, null);
StandardInformation si = stream.GetContent<StandardInformation>();
modifier(si);
stream.SetContent(si);
// Update the directory entry used to open the file, so it's accurate
dirEntry.UpdateFrom(file);
// Write attribute changes back to the Master File Table
file.UpdateRecordInMft();
}
public void Initialize(File file)
{
_self = file;
if (_recordStream != null)
{
_recordStream.Dispose();
}
NtfsStream bitmapStream = _self.GetStream(AttributeType.Bitmap, null);
_bitmap = new Bitmap(bitmapStream.Open(FileAccess.ReadWrite), long.MaxValue);
NtfsStream recordsStream = _self.GetStream(AttributeType.Data, null);
_recordStream = recordsStream.Open(FileAccess.ReadWrite);
}
private void SelfCheckIndex(File file, string name)
{
ReportInfo("About to self-check index {0} in file {1} (MFT:{2})", name, file.BestName, file.IndexInMft);
IndexRoot root = file.GetStream(AttributeType.IndexRoot, name).GetContent<IndexRoot>();
byte[] rootBuffer;
using (Stream s = file.OpenStream(AttributeType.IndexRoot, name, FileAccess.Read))
{
rootBuffer = Utilities.ReadFully(s, (int)s.Length);
}
Bitmap indexBitmap = null;
if (file.GetStream(AttributeType.Bitmap, name) != null)
{
indexBitmap = new Bitmap(file.OpenStream(AttributeType.Bitmap, name, FileAccess.Read), long.MaxValue);
}
if (!SelfCheckIndexNode(rootBuffer, IndexRoot.HeaderOffset, indexBitmap, root, file.BestName, name))
{
ReportError("Index {0} in file {1} (MFT:{2}) has corrupt IndexRoot attribute", name, file.BestName, file.IndexInMft);
}
else
{
ReportInfo("Self-check of index {0} in file {1} (MFT:{2}) complete", name, file.BestName, file.IndexInMft);
}
}
private void VerifyDirectories()
{
foreach (FileRecord fr in _context.Mft.Records)
{
if (fr.BaseFile.Value != 0)
{
continue;
}
File f = new File(_context, fr);
foreach (var stream in f.AllStreams)
{
if (stream.AttributeType == AttributeType.IndexRoot && stream.Name == "$I30")
{
IndexView<FileNameRecord, FileRecordReference> dir = new IndexView<FileNameRecord, FileRecordReference>(f.GetIndex("$I30"));
foreach (var entry in dir.Entries)
{
FileRecord refFile = _context.Mft.GetRecord(entry.Value);
// Make sure each referenced file actually exists...
if (refFile == null)
{
ReportError("Directory {0} references non-existent file {1}", f, entry.Key);
}
File referencedFile = new File(_context, refFile);
StandardInformation si = referencedFile.GetStream(AttributeType.StandardInformation, null).GetContent<StandardInformation>();
if (si.CreationTime != entry.Key.CreationTime || si.MftChangedTime != entry.Key.MftChangedTime
|| si.ModificationTime != entry.Key.ModificationTime)
{
ReportInfo("Directory entry {0} in {1} is out of date", entry.Key, f);
}
}
}
}
}
}
