protected override void Read(byte[] buffer, int offset)
{
LogFileSequenceNumber = EndianUtilities.ToUInt64LittleEndian(buffer, offset + 0x08);
SequenceNumber = EndianUtilities.ToUInt16LittleEndian(buffer, offset + 0x10);
HardLinkCount = EndianUtilities.ToUInt16LittleEndian(buffer, offset + 0x12);
_firstAttributeOffset = EndianUtilities.ToUInt16LittleEndian(buffer, offset + 0x14);
Flags = (FileRecordFlags)EndianUtilities.ToUInt16LittleEndian(buffer, offset + 0x16);
RealSize = EndianUtilities.ToUInt32LittleEndian(buffer, offset + 0x18);
AllocatedSize = EndianUtilities.ToUInt32LittleEndian(buffer, offset + 0x1C);
BaseFile = new FileRecordReference(EndianUtilities.ToUInt64LittleEndian(buffer, offset + 0x20));
NextAttributeId = EndianUtilities.ToUInt16LittleEndian(buffer, offset + 0x28);
if (UpdateSequenceOffset >= 0x30)
{
_index = EndianUtilities.ToUInt32LittleEndian(buffer, offset + 0x2C);
_haveIndex = true;
}
Attributes = new List <AttributeRecord>();
int focus = _firstAttributeOffset;
while (true)
{
int length;
AttributeRecord attr = AttributeRecord.FromBytes(buffer, focus, out length);
if (attr == null)
{
break;
}
Attributes.Add(attr);
focus += length;
}
}
public int ReadFrom(byte[] data, int offset)
{
Type = (AttributeType)Utilities.ToUInt32LittleEndian(data, offset + 0x00);
RecordLength = Utilities.ToUInt16LittleEndian(data, offset + 0x04);
NameLength = data[offset + 0x06];
NameOffset = data[offset + 0x07];
StartVcn = Utilities.ToUInt64LittleEndian(data, offset + 0x08);
BaseFileReference = new FileRecordReference(Utilities.ToUInt64LittleEndian(data, offset + 0x10));
AttributeId = Utilities.ToUInt16LittleEndian(data, offset + 0x18);
if (NameLength > 0)
{
Name = Encoding.Unicode.GetString(data, offset + NameOffset, NameLength * 2);
}
else
{
Name = null;
}
if (RecordLength < 0x18)
{
throw new InvalidDataException("Malformed AttributeList record");
}
return(RecordLength);
}
private void RemoveFileRecord(FileRecordReference fileReference)
{
for (int i = 0; i < _records.Count; ++i)
{
if (_records[i].MasterFileTableIndex == fileReference.MftIndex)
{
FileRecord record = _records[i];
if (record.Attributes.Count > 0)
{
throw new IOException("Attempting to remove non-empty MFT record");
}
_context.Mft.RemoveRecord(fileReference);
_records.Remove(record);
if (_records.Count == 1)
{
NtfsAttribute attrListAttr = GetAttribute(AttributeType.AttributeList, null);
if (attrListAttr != null)
{
RemoveAttribute(attrListAttr);
}
}
}
}
}
public void SetExtent(FileRecordReference containingFile, AttributeRecord record)
{
_containingFile = containingFile;
_record = record;
_extents.Clear();
_extents.Add(new AttributeReference(containingFile, record.AttributeId), record);
}
protected NtfsAttribute(File file, FileRecordReference containingFile, AttributeRecord record)
{
_file = file;
_containingFile = containingFile;
_primaryRecord = record;
_extents = new Dictionary <AttributeReference, AttributeRecord>();
_extents.Add(new AttributeReference(containingFile, record.AttributeId), _primaryRecord);
}
public void SetExtent(FileRecordReference containingFile, AttributeRecord record)
{
_cachedRawBuffer = null;
_containingFile = containingFile;
_primaryRecord = record;
_extents.Clear();
_extents.Add(new AttributeReference(containingFile, record.AttributeId), record);
}
internal void Remove(uint tag, FileRecordReference file)
{
Key key = new Key();
key.Tag = tag;
key.File = file;
_index.Remove(key);
_file.UpdateRecordInMft();
}
public int ReadFrom(byte[] buffer, int offset)
{
MftReference = new FileRecordReference();
MftReference.ReadFrom(buffer, offset);
BirthVolumeId = Utilities.ToGuidLittleEndian(buffer, offset + 0x08);
BirthObjectId = Utilities.ToGuidLittleEndian(buffer, offset + 0x18);
BirthDomainId = Utilities.ToGuidLittleEndian(buffer, offset + 0x28);
return(0x38);
}
public void RemoveRecord(FileRecordReference fileRef)
{
FileRecord record = GetRecord(fileRef.MftIndex, false);
record.Reset();
WriteRecord(record);
_recordCache.Remove(fileRef.MftIndex);
_bitmap.MarkAbsent(fileRef.MftIndex);
_self.UpdateRecordInMft();
}
internal void Add(uint tag, FileRecordReference file)
{
Key newKey = new Key();
newKey.Tag = tag;
newKey.File = file;
Data data = new Data();
_index[newKey] = data;
_file.UpdateRecordInMft();
}
private FileRecord GetFileRecord(FileRecordReference fileReference)
{
foreach (FileRecord record in _records)
{
if (record.MasterFileTableIndex == fileReference.MftIndex)
{
return(record);
}
}
return(null);
}
public string GetFirstName(FileRecordReference dir, FileNameNamespace aliasNamespace)
{
foreach (StructuredNtfsAttribute <FileNameRecord> attr in GetAttributes(AttributeType.FileName))
{
FileNameRecord fnr = attr.Content;
if (fnr.ParentDirectory.Equals(dir) && fnr.FileNameNamespace == aliasNamespace)
{
return(fnr.FileName);
}
}
return(null);
}
public FileNameRecord(FileNameRecord toCopy)
{
ParentDirectory = toCopy.ParentDirectory;
CreationTime = toCopy.CreationTime;
ModificationTime = toCopy.ModificationTime;
MftChangedTime = toCopy.MftChangedTime;
LastAccessTime = toCopy.LastAccessTime;
AllocatedSize = toCopy.AllocatedSize;
RealSize = toCopy.RealSize;
Flags = toCopy.Flags;
EASizeOrReparsePointTag = toCopy.EASizeOrReparsePointTag;
FileNameNamespace = toCopy.FileNameNamespace;
FileName = toCopy.FileName;
}
public void ReInitialize(int sectorSize, int recordLength, uint index)
{
Initialize("FILE", sectorSize, recordLength);
SequenceNumber++;
Flags = FileRecordFlags.None;
AllocatedSize = (uint)recordLength;
NextAttributeId = 0;
_index = index;
HardLinkCount = 0;
BaseFile = new FileRecordReference(0);
Attributes = new List <AttributeRecord>();
_haveIndex = true;
}
internal void Add(Guid objId, FileRecordReference mftRef, Guid birthId, Guid birthVolumeId, Guid birthDomainId)
{
IndexKey newKey = new IndexKey();
newKey.Id = objId;
ObjectIdRecord newData = new ObjectIdRecord();
newData.MftReference = mftRef;
newData.BirthObjectId = birthId;
newData.BirthVolumeId = birthVolumeId;
newData.BirthDomainId = birthDomainId;
_index[newKey] = newData;
_file.UpdateRecordInMft();
}
public FileRecord GetRecord(FileRecordReference fileReference)
{
FileRecord result = GetRecord(fileReference.MftIndex, false);
if (result != null)
{
if (fileReference.SequenceNumber != 0 && result.SequenceNumber != 0)
{
if (fileReference.SequenceNumber != result.SequenceNumber)
{
throw new IOException("Attempt to get an MFT record with an old reference");
}
}
}
return(result);
}
public bool ReplaceExtent(AttributeReference oldRef, AttributeReference newRef, AttributeRecord record)
{
_cachedRawBuffer = null;
if (!_extents.Remove(oldRef))
{
return(false);
}
if (oldRef.Equals(Reference) || _extents.Count == 0)
{
_primaryRecord = record;
_containingFile = newRef.File;
}
_extents.Add(newRef, record);
return(true);
}
public bool ReplaceExtent(AttributeReference oldRef, AttributeReference newRef, AttributeRecord record)
{
if (!_extents.Remove(oldRef))
{
return(false);
}
else
{
if (oldRef.Equals(Reference) || _extents.Count == 0)
{
_record = record;
_containingFile = newRef.File;
}
_extents.Add(newRef, record);
return(true);
}
}
public int ReadFrom(byte[] buffer, int offset)
{
ParentDirectory = new FileRecordReference(Utilities.ToUInt64LittleEndian(buffer, offset + 0x00));
CreationTime = ReadDateTime(buffer, offset + 0x08);
ModificationTime = ReadDateTime(buffer, offset + 0x10);
MftChangedTime = ReadDateTime(buffer, offset + 0x18);
LastAccessTime = ReadDateTime(buffer, offset + 0x20);
AllocatedSize = Utilities.ToUInt64LittleEndian(buffer, offset + 0x28);
RealSize = Utilities.ToUInt64LittleEndian(buffer, offset + 0x30);
Flags = (FileAttributeFlags)Utilities.ToUInt32LittleEndian(buffer, offset + 0x38);
EASizeOrReparsePointTag = Utilities.ToUInt32LittleEndian(buffer, offset + 0x3C);
byte fnLen = buffer[offset + 0x40];
FileNameNamespace = (FileNameNamespace)buffer[offset + 0x41];
FileName = Encoding.Unicode.GetString(buffer, offset + 0x42, fnLen * 2);
return(0x42 + (fnLen * 2));
}
public static AttributeListRecord FromAttribute(AttributeRecord attr, FileRecordReference mftRecord)
{
AttributeListRecord newRecord = new AttributeListRecord()
{
Type = attr.AttributeType,
Name = attr.Name,
StartVcn = 0,
BaseFileReference = mftRecord,
AttributeId = attr.AttributeId
};
if (attr.IsNonResident)
{
newRecord.StartVcn = (ulong)((NonResidentAttributeRecord)attr).StartVcn;
}
return(newRecord);
}
public static NtfsAttribute FromRecord(File file, FileRecordReference recordFile, AttributeRecord record)
{
switch (record.AttributeType)
{
case AttributeType.StandardInformation:
return(new StructuredNtfsAttribute <StandardInformation>(file, recordFile, record));
case AttributeType.FileName:
return(new StructuredNtfsAttribute <FileNameRecord>(file, recordFile, record));
case AttributeType.SecurityDescriptor:
return(new StructuredNtfsAttribute <SecurityDescriptor>(file, recordFile, record));
case AttributeType.Data:
return(new NtfsAttribute(file, recordFile, record));
case AttributeType.Bitmap:
return(new NtfsAttribute(file, recordFile, record));
case AttributeType.VolumeName:
return(new StructuredNtfsAttribute <VolumeName>(file, recordFile, record));
case AttributeType.VolumeInformation:
return(new StructuredNtfsAttribute <VolumeInformation>(file, recordFile, record));
case AttributeType.IndexRoot:
return(new NtfsAttribute(file, recordFile, record));
case AttributeType.IndexAllocation:
return(new NtfsAttribute(file, recordFile, record));
case AttributeType.ObjectId:
return(new StructuredNtfsAttribute <ObjectId>(file, recordFile, record));
case AttributeType.ReparsePoint:
return(new StructuredNtfsAttribute <ReparsePointRecord>(file, recordFile, record));
case AttributeType.AttributeList:
return(new StructuredNtfsAttribute <AttributeList>(file, recordFile, record));
default:
return(new NtfsAttribute(file, recordFile, record));
}
}
public StructuredNtfsAttribute(File file, FileRecordReference containingFile, AttributeRecord record)
: base(file, containingFile, record)
{
_structure = new T();
}
public void AddExtent(FileRecordReference containingFile, AttributeRecord record)
{
_cachedRawBuffer = null;
_extents.Add(new AttributeReference(containingFile, record.AttributeId), record);
}
internal static string EntryAsString(IndexEntry entry, string fileName, string indexName)
{
IByteArraySerializable keyValue = null;
IByteArraySerializable dataValue = null;
// Try to guess the type of data in the key and data fields from the filename and index name
if (indexName == "$I30")
{
keyValue = new FileNameRecord();
dataValue = new FileRecordReference();
}
else if (fileName == "$ObjId" && indexName == "$O")
{
keyValue = new ObjectIds.IndexKey();
dataValue = new ObjectIdRecord();
}
else if (fileName == "$Reparse" && indexName == "$R")
{
keyValue = new ReparsePoints.Key();
dataValue = new ReparsePoints.Data();
}
else if (fileName == "$Quota")
{
if (indexName == "$O")
{
keyValue = new Quotas.OwnerKey();
dataValue = new Quotas.OwnerRecord();
}
else if (indexName == "$Q")
{
keyValue = new Quotas.OwnerRecord();
dataValue = new Quotas.QuotaRecord();
}
}
else if (fileName == "$Secure")
{
if (indexName == "$SII")
{
keyValue = new SecurityDescriptors.IdIndexKey();
dataValue = new SecurityDescriptors.IdIndexData();
}
else if (indexName == "$SDH")
{
keyValue = new SecurityDescriptors.HashIndexKey();
dataValue = new SecurityDescriptors.IdIndexData();
}
}
try
{
if (keyValue != null && dataValue != null)
{
keyValue.ReadFrom(entry.KeyBuffer, 0);
dataValue.ReadFrom(entry.DataBuffer, 0);
return("{" + keyValue + "-->" + dataValue + "}");
}
}
catch
{
return("{Parsing-Error}");
}
return("{Unknown-Index-Type}");
}
public int ReadFrom(byte[] buffer, int offset)
{
Tag = Utilities.ToUInt32LittleEndian(buffer, offset);
File = new FileRecordReference(Utilities.ToUInt64LittleEndian(buffer, offset + 4));
return(12);
}
/// <summary>
/// Initializes a new instance of the AttributeReference class.
/// </summary>
/// <param name="fileReference">The file containing the attribute.</param>
/// <param name="attributeId">The identity of the attribute within the file record.</param>
public AttributeReference(FileRecordReference fileReference, ushort attributeId)
{
_fileReference = fileReference;
AttributeId = attributeId;
}
public long GetRecordOffset(FileRecordReference fileReference)
{
return(fileReference.MftIndex * RecordSize);
}
public long GetRecordOffset(FileRecordReference fileReference)
{
return(fileReference.MftIndex * _recordLength);
}
