protected MFTAttribute(byte[] data, int startOffset, MFTRecord record)
: this()
{
_record = record;
// Read the attribute header.
Type = (AttributeType)BitConverter.ToUInt32(data, startOffset + 0);
Length = BitConverter.ToUInt16(data, startOffset + 4);
NonResident = data[startOffset + 8] > 0;
NameLength = data[startOffset + 9];
NameOffset = BitConverter.ToUInt16(data, startOffset + 10);
Compressed = data[startOffset + 0xC] > 0;
Id = BitConverter.ToUInt16(data, startOffset + 0xE);
if (NameLength > 0)
{
Name = Encoding.Unicode.GetString(data, startOffset + NameOffset, NameLength * 2);
}
Flags = BitConverter.ToUInt16(data, startOffset + 12);
Instance = BitConverter.ToUInt16(data, startOffset + 14);
if (NonResident)
{
LoadNonResidentHeader(data, startOffset);
}
else
{
LoadResidentHeader(data, startOffset);
}
}
public SparseRun(ulong vcn, ulong lengthInClusters, MFTRecord record)
{
VCN = vcn;
LengthInClusters = lengthInClusters;
ulong clusterSize = (ulong)record.BytesPerSector * (ulong)record.SectorsPerCluster;
StreamLength = lengthInClusters * clusterSize;
}
public NTFSDataRun(ulong vcn, ulong lcn, ulong lengthInClusters, MFTRecord record) {
_vcn = vcn;
_lcn = lcn;
LengthInClusters = lengthInClusters;
_record = record;
_bytesPerCluster = (ulong)(_record.BytesPerSector * _record.SectorsPerCluster);
_lengthInBytes = LengthInClusters * _bytesPerCluster;
}
/// <summary>
/// The constructor for a file contained as a hidden data stream.
/// </summary>
public FileNTFS(MFTRecord record, MFTAttribute attr, string path) {
_record = record;
_stream = new NTFSFileStream(_record.PartitionStream, _record, attr);
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
Name = PathUtils.MakeFileNameValid(record.FileName + "_" + attr.Name);
Path = PathUtils.Combine(path, Name);
}
/// <summary>
/// The constructor for a file contained as a hidden data stream.
/// </summary>
public FileNTFS(MFTRecord record, MFTAttribute attr, string path)
{
_record = record;
_stream = new NTFSFileStream(_record.PartitionStream, _record, attr);
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
Name = PathUtils.MakeFileNameValid(record.FileName + "_" + attr.Name);
Path = PathUtils.Combine(path, Name);
}
public NTFSDataRun(ulong vcn, ulong lcn, ulong lengthInClusters, MFTRecord record)
{
_vcn = vcn;
_lcn = lcn;
LengthInClusters = lengthInClusters;
_record = record;
_bytesPerCluster = (ulong)(_record.BytesPerSector * _record.SectorsPerCluster);
_lengthInBytes = LengthInClusters * _bytesPerCluster;
}
public FileSystemNTFS(IFileSystemStore store)
{
Store = store;
LoadBPB();
_mftSector = (BPB_MFTStartCluster64 * BPB_SecPerClus);
_MFT = new FileNTFS(MFTRecord.Load(0, this), "");
_root = new FolderNTFS(MFTRecord.Load(5, this), "", true);
_bitmapFile = new FileNTFS(MFTRecord.Load(6, this), "");
_bitmap = _bitmapFile.GetBytes(0, _bitmapFile.StreamLength);
}
public NTFSFileStream(IDataStream partition, MFTRecord record, MFTAttribute attr) {
if (attr != null) {
_nonResident = attr.NonResident;
if (_nonResident) {
_runs = attr.Runs;
_length = attr.DataSize;
} else {
_residentStream = attr.ResidentData;
_length = attr.ResidentData.StreamLength;
}
}
_record = record;
_partitionStream = partition;
}
public FileNTFS(MFTRecord record, string path) {
_record = record;
if (_record.DataAttribute != null) {
_stream = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.Data);
}
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
Name = record.FileName;
if (!string.IsNullOrEmpty(path)) {
Path = PathUtils.Combine(path, Name);
} else {
// We don't know the path.
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
}
public HiddenDataStreamFileNTFS(MFTRecord record, string path) {
_record = record;
FileSystem = _record.FileSystem;
Name = record.FileName + "(Hidden Streams)";
if (!string.IsNullOrEmpty(path)) {
Path = PathUtils.Combine(path, Name);
} else {
// We don't know the path.
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
_children = new List<IFileSystemNode>();
_children.Add(new FileNTFS(_record, Path));
foreach (MFTAttribute attr in _record.NamedDataAttributes) {
_children.Add(new FileNTFS(_record, attr, Path));
}
}
private void MftScan(FileSystem.NodeVisitCallback callback)
{
ulong numFiles = _MFT.StreamLength / (ulong)(SectorsPerMFTRecord * BytesPerSector);
for (ulong i = 0; i < numFiles; i++)
{
MFTRecord record = MFTRecord.Load(i, this, MFTLoadDepth.NameAttributeOnly);
if (record.Valid)
{
if (!callback(record, i, numFiles))
{
return;
}
}
}
}
public NTFSFileStream(IDataStream partition, MFTRecord record, MFTAttribute attr)
{
if (attr != null)
{
_nonResident = attr.NonResident;
if (_nonResident)
{
_runs = attr.Runs;
_length = attr.DataSize;
}
else
{
_residentStream = attr.ResidentData;
_length = attr.ResidentData.StreamLength;
}
}
_record = record;
_partitionStream = partition;
}
public FolderNTFS(MFTRecord record, string path, bool isRoot = false)
{
_record = record;
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
_indexRoot = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.IndexRoot);
MFTAttribute attr = _record.GetAttribute(AttributeType.IndexAllocation);
if (attr != null)
{
_indexAllocation = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.IndexAllocation);
}
if (isRoot) // root
{
Root = true;
Name = FileSystem.Store.DeviceID;
Path = FileSystem.Store.DeviceID;
foreach (FileSystemNode node in GetChildren("$Volume"))
{
FileNTFS file = node as FileNTFS;
if (file != null && file.VolumeLabel != "")
{
Name = file.VolumeLabel;
break;
}
}
}
else
{
Name = PathUtils.MakeFileNameValid(record.FileName);
if (!string.IsNullOrEmpty(path))
{
Path = PathUtils.Combine(path, Name);
}
else
{
// We don't know the path
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
}
}
public FileNTFS(MFTRecord record, string path)
{
_record = record;
if (_record.DataAttribute != null)
{
_stream = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.Data);
}
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
Name = record.FileName;
if (!string.IsNullOrEmpty(path))
{
Path = PathUtils.Combine(path, Name);
}
else
{
// We don't know the path.
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
}
public HiddenDataStreamFileNTFS(MFTRecord record, string path)
{
_record = record;
FileSystem = _record.FileSystem;
Name = record.FileName + "(Hidden Streams)";
if (!string.IsNullOrEmpty(path))
{
Path = PathUtils.Combine(path, Name);
}
else
{
// We don't know the path.
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
_children = new List <IFileSystemNode>();
_children.Add(new FileNTFS(_record, Path));
foreach (MFTAttribute attr in _record.NamedDataAttributes)
{
_children.Add(new FileNTFS(_record, attr, Path));
}
}
private void LoadExternalAttributeList(int startOffset, MFTAttribute attrList)
{
int offset = 0;
while (true)
{
//Align to 8 byte boundary
if (offset % 8 != 0)
{
offset = (offset / 8 + 1) * 8;
}
// Load the header for this external attribute reference.
AttributeType type = (AttributeType)BitConverter.ToUInt32(_data, offset + startOffset + 0x0);
// 0xFFFFFFFF marks end of attributes.
if (offset == attrList.ValueLength || type == AttributeType.End)
{
break;
}
ushort length = BitConverter.ToUInt16(_data, offset + startOffset + 0x4);
byte nameLength = _data[offset + startOffset + 0x6];
ushort id = BitConverter.ToUInt16(_data, offset + startOffset + 0x18);
ulong vcn = BitConverter.ToUInt64(_data, offset + startOffset + 0x8);
ulong extensionRecordNumber = (BitConverter.ToUInt64(_data, offset + startOffset + 0x10) & 0x00000000FFFFFFFF);
if (extensionRecordNumber != RecordNum && extensionRecordNumber != MFTRecordNumber) // TODO: Are these ever different?
// Load the MFT extension record, locate the attribute we want, and copy it over.
{
MFTRecord extensionRecord = MFTRecord.Load(extensionRecordNumber, this.FileSystem);
if (extensionRecord.Valid)
{
foreach (MFTAttribute externalAttribute in extensionRecord._attributes)
{
if (id == externalAttribute.Id)
{
if (externalAttribute.NonResident && externalAttribute.Type == AttributeType.Data)
{
// Find the corresponding data attribute on this record and merge the runlists
bool merged = false;
foreach (MFTAttribute attribute in _attributes)
{
if (attribute.Type == AttributeType.Data && externalAttribute.Name == attribute.Name)
{
MergeRunLists(ref attribute.Runs, externalAttribute.Runs);
merged = true;
break;
}
}
if (!merged)
{
this._attributes.Add(externalAttribute);
}
}
else
{
this._attributes.Add(externalAttribute);
}
}
}
}
}
offset += 0x1A + (nameLength * 2);
}
}
public static MFTAttribute Load(byte[] data, int startOffset, MFTRecord record)
{
return(new MFTAttribute(data, startOffset, record));
}
public LightweightMFTRecord(MFTRecord record) {
FileName = record.FileName;
IsDirectory = record.IsDirectory;
RecordNumber = record.RecordNum;
ParentRecord = record.ParentDirectory;
}
public NTFSFileStream(IDataStream partition, MFTRecord record, AttributeType attrType) :
this(partition, record, record.GetAttribute(attrType))
{
}
public NTFSFileStream(IDataStream partition, MFTRecord record, AttributeType attrType) :
this(partition, record, record.GetAttribute(attrType)) { }
public FolderNTFS(MFTRecord record, string path, bool isRoot = false) {
_record = record;
FileSystem = record.FileSystem;
Deleted = _record.Deleted;
_indexRoot = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.IndexRoot);
MFTAttribute attr = _record.GetAttribute(AttributeType.IndexAllocation);
if (attr != null) {
_indexAllocation = new NTFSFileStream(_record.PartitionStream, _record, AttributeType.IndexAllocation);
}
if (isRoot) { // root
Root = true;
Name = FileSystem.Store.DeviceID;
Path = FileSystem.Store.DeviceID;
foreach (FileSystemNode node in GetChildren("$Volume")) {
FileNTFS file = node as FileNTFS;
if (file != null && file.VolumeLabel != "") {
Name = file.VolumeLabel;
break;
}
}
} else {
Name = record.FileName;
if (!string.IsNullOrEmpty(path)) {
Path = PathUtils.Combine(path, Name);
} else {
// We don't know the path
Path = PathUtils.Combine(FileSystem.Store.DeviceID, "?", Name);
}
}
}
public SparseRun(ulong vcn, ulong lengthInClusters, MFTRecord record) {
VCN = vcn;
LengthInClusters = lengthInClusters;
ulong clusterSize = (ulong)record.BytesPerSector * (ulong)record.SectorsPerCluster;
StreamLength = lengthInClusters * clusterSize;
}
