Esempi in C# (CSharp) per MFT.Other MftEntryInfo

Esempio n. 1

File: ExtensionMethods.cs Progetto: muyen2/MFT-1

 public static string GetKey(this MftEntryInfo mftInfo, bool asDecimal = false)
 {
     if (asDecimal)
     {
         return($"{mftInfo.MftEntryNumber}-{mftInfo.MftSequenceNumber}");
     }
     return($"{mftInfo.MftEntryNumber:X8}-{mftInfo.MftSequenceNumber:X8}");
 }

Esempio n. 2

File: AttributeInfo.cs Progetto: muyen2/MFT-1

        public AttributeInfo(byte[] rawBytes)
        {
            var buff = new byte[8];

            FirstVirtualClusterNumber = BitConverter.ToUInt64(rawBytes, 0x8);

            Buffer.BlockCopy(rawBytes, 0x10, buff, 0, 0x8);

            EntryInfo = new MftEntryInfo(buff);

            var nameSize   = rawBytes[0x6];
            var nameOffset = rawBytes[0x7];

            if (nameSize > 0)
            {
                Name = Encoding.Unicode.GetString(rawBytes, nameOffset, nameSize * 2);
            }
        }

Esempio n. 3

File: IndexEntry.cs Progetto: theCanary/MFT

        public IndexEntry(byte[] rawBytes)
        {
            var index = 0;
            var size  = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var indexKeyDataSize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var indexFlags = (IndexRoot.IndexFlag)BitConverter.ToInt32(rawBytes, index);

            index += 4;

            if ((indexFlags & IndexRoot.IndexFlag.IsLast) == IndexRoot.IndexFlag.IsLast)
            {
                return;
            }

            if (indexKeyDataSize == 0x10)
            {
                //indicates no more index entries
                return;
            }

            if (indexKeyDataSize <= 0x40)
            {
                //too small to do anything with
                return;
            }

            if (indexKeyDataSize > 0)
            {
                var mftInfoBytes = new byte[8];
                Buffer.BlockCopy(rawBytes, index, mftInfoBytes, 0, 8);
                index += 8;

                ParentMftRecord = new MftEntryInfo(mftInfoBytes);

                var createdRaw = BitConverter.ToInt64(rawBytes, index);
                if (createdRaw > 0)
                {
                    CreatedOn = DateTimeOffset.FromFileTime(createdRaw).ToUniversalTime();
                }

                index += 8;

                var contentModRaw = BitConverter.ToInt64(rawBytes, index);
                if (contentModRaw > 0)
                {
                    ContentModifiedOn = DateTimeOffset.FromFileTime(contentModRaw).ToUniversalTime();
                }

                index += 8;

                var recordModRaw = BitConverter.ToInt64(rawBytes, index);
                if (recordModRaw > 0)
                {
                    RecordModifiedOn = DateTimeOffset.FromFileTime(recordModRaw).ToUniversalTime();
                }

                index += 8;

                var lastAccessRaw = BitConverter.ToInt64(rawBytes, index);
                if (lastAccessRaw > 0)
                {
                    LastAccessedOn = DateTimeOffset.FromFileTime(lastAccessRaw).ToUniversalTime();
                }

                index += 8;


                PhysicalSize = BitConverter.ToUInt64(rawBytes, index);
                index       += 8;
                LogicalSize  = BitConverter.ToUInt64(rawBytes, index);
                index       += 8;

                Flags  = (StandardInfo.Flag)BitConverter.ToInt32(rawBytes, index);
                index += 4;


                ReparseValue = BitConverter.ToInt32(rawBytes, index);
                index       += 4;

                NameLength = rawBytes[index];
                index     += 1;
                NameType   = (NameTypes)rawBytes[index];
                index     += 1;

                FileName = Encoding.Unicode.GetString(rawBytes, index, NameLength * 2);
            }

            //index += 2; //padding
        }