internal Data(byte[] AttrBytes, string attrName) { ATTR_DATA data = new ATTR_DATA(AttrBytes); Name = Enum.GetName(typeof(ATTR_TYPE), data.header.commonHeader.ATTRType); NameString = attrName; NonResident = data.header.commonHeader.NonResident; AttributeId = data.header.commonHeader.Id; RawData = data.RawBytes; }
void ParseAttributes(byte[] entry) { //Program.Log("Debug"); if (entry.Length == 1024) { //Program.Log("Debug"); int attrFirstType; int firstAttr; int attrFirstLength; Int64 residentFirstValues; Int64 residentSecondValues; try { //Program.Log("Debug"); DB_Entry dbentry = new DB_Entry(); int lengthleft = 1024; int fileNameLength = 0; string fullpath = ""; string filename = ""; string attrname = ""; bool hasSia = false, hasFia = false; byte[] arrMft = new byte[0x30]; //Program.Log("Debug"); Array.Copy(entry, 0, arrMft, 0, 0x30); //Program.Log("Debug"); MFT mft = ByteArrayToStructure <MFT>(arrMft); //Program.Log("Debug"); firstAttr = BitConverter.ToInt16(new byte[] { entry[0x14], entry[0x15] }, 0); if (firstAttr >= entry.Length || firstAttr < 0) { //return; } attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); residentFirstValues = BitConverter.ToInt64(new byte[] { entry[firstAttr + 8], entry[firstAttr + 9], entry[firstAttr + 10], entry[firstAttr + 11], entry[firstAttr + 12], entry[firstAttr + 13], entry[firstAttr + 14], entry[firstAttr + 15] }, 0); residentSecondValues = BitConverter.ToInt64(new byte[] { entry[firstAttr + 16], entry[firstAttr + 17], entry[firstAttr + 18], entry[firstAttr + 19], entry[firstAttr + 20], entry[firstAttr + 21], entry[firstAttr + 22], entry[firstAttr + 23] }, 0); lengthleft -= firstAttr; while (lengthleft > 0) { byte[] buffer = new byte[0x400]; try { if (firstAttr + 24 <= entry.Length && attrFirstLength - 24 <= entry.Length && firstAttr > 0 && attrFirstLength - 24 > 0) { Array.Copy(entry, firstAttr + 24, buffer, 0, attrFirstLength - 24); } else { lengthleft = 0; break; } //Program.Log("Debug"); //Program.Log("Debug"); } catch (Exception ex) { lengthleft = 0; } switch (attrFirstType) { //SIA case 0x10: //Program.Log("Debug"); ATTR_SIA sia = ByteArrayToStructure <ATTR_SIA>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); //Debug.Print(sia.ToString()); dbentry.sia = sia; hasSia = true; break; //ATTR LIST case 0x20: //Program.Log("Debug"); ATTR_LIST list = ByteArrayToStructure <ATTR_LIST>(buffer); byte[] arrFileName = new byte[list.attrLength]; Array.Copy(buffer, 26, arrFileName, 0, arrFileName.Length); attrname = System.Text.UnicodeEncoding.Unicode.GetString(arrFileName); //Debug.Print(attrname); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //FIA case 0x30: //Program.Log("Debug"); ATTR_FIA fia = ByteArrayToStructure <ATTR_FIA>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); fileNameLength = fia.filenameLength * 2; byte[] arrFileName2 = new byte[fileNameLength]; Array.Copy(buffer, 0x42, arrFileName2, 0, arrFileName2.Length); filename = System.Text.UnicodeEncoding.Unicode.GetString(arrFileName2); //Program.Log("Debug"); long temp = (fia.fiaReferenceParentDir << 48); temp = temp >> 48; int mftReferenceToHashTable = (int)temp; if ((string)paths[mftReferenceToHashTable] != null) { fullpath = (string)paths[mftReferenceToHashTable]; } fullpath += "\\" + filename; dbentry.fia = fia; hasFia = true; if ((fia.flags & FLAGS.Directory) == FLAGS.Directory) { //Program.Log("Debug"); if (!paths.Contains(mft.mftRecordNumber)) { paths.Add(mft.mftRecordNumber, fullpath); } break; } else { //Program.Log("Debug"); //Debug.Print(fia.ToString()); //Debug.Print("filename: " + fullpath); //Debug.Print(mft.ToString()); break; } //OBJ ID case 0x40: //Program.Log("Debug"); ATTR_OBJID objid = ByteArrayToStructure <ATTR_OBJID>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //SEC DESC case 0x50: //Program.Log("Debug"); byte[] arrSids = new byte[attrFirstLength - 16]; ATTR_SECDESC secdesc = ByteArrayToStructure <ATTR_SECDESC>(buffer); Array.Copy(buffer, 16, arrSids, 0, arrSids.Length); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //VOL NAME case 0x60: //Program.Log("Debug"); System.Text.UnicodeEncoding enc = new UnicodeEncoding(); ATTR_VOLNAME volname = new ATTR_VOLNAME(enc.GetString(buffer)); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //VOL INFO case 0x70: //Program.Log("Debug"); ATTR_VOLINFO volinfo = ByteArrayToStructure <ATTR_VOLINFO>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //DATA case 0x80: //Program.Log("Debug"); ATTR_DATA data = new ATTR_DATA(); data.data = buffer; firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //INDX ROOT case 0x90: //Program.Log("Debug"); ATTR_INDXROOT indxroot = ByteArrayToStructure <ATTR_INDXROOT>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //INDX ALLOC case 0xA0: //Program.Log("Debug"); ATTR_INDXALLOC indxalloc = new ATTR_INDXALLOC(); indxalloc.entries = buffer; firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //BITMAP case 0xB0: //Program.Log("Debug"); ATTR_BITMAP bitmap = ByteArrayToStructure <ATTR_BITMAP>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //REPARSE case 0xC0: //Program.Log("Debug"); ATTR_REPARSE reparse = new ATTR_REPARSE(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //EA INFO case 0xD0: //Program.Log("Debug"); ATTR_EAINFO eainfo = ByteArrayToStructure <ATTR_EAINFO>(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; //EA case 0xE0: //Program.Log("Debug"); ATTR_EA ea = new ATTR_EA(buffer); firstAttr += attrFirstLength; attrFirstType = BitConverter.ToInt32(new byte[] { entry[firstAttr], entry[firstAttr + 1], entry[firstAttr + 2], entry[firstAttr + 3] }, 0); attrFirstLength = BitConverter.ToInt32(new byte[] { entry[firstAttr + 4], entry[firstAttr + 5], entry[firstAttr + 6], entry[firstAttr + 7] }, 0); break; default: //Program.Log("Debug"); lengthleft = 0; break; } lengthleft -= firstAttr; } if (hasFia != false && hasSia != false) { //Program.Log("Debug"); //dbEntries.Add(new Tuple<string, string[]>("nav", new string[] {"NULL", fullpath, filename, DateTime.FromFileTime(dbentry.sia.siaCreate).ToString(), //DateTime.FromFileTime(dbentry.sia.siaAccess).ToString(),DateTime.FromFileTime(dbentry.sia.siaAlter).ToString(), //DateTime.FromFileTime(dbentry.sia.siaMod).ToString(),DateTime.FromFileTime(dbentry.fia.fiaCreate).ToString(), //DateTime.FromFileTime(dbentry.fia.fiaMod).ToString(),DateTime.FromFileTime(dbentry.fia.fiaAccess).ToString(), //DateTime.FromFileTime(dbentry.fia.fiaAlter).ToString(),dbentry.fia.fiaAllocSize.ToString()})); conn.Insert("mft", new string[] { "NULL", fullpath, filename, DateTime.FromFileTime(dbentry.sia.siaCreate).ToString(), DateTime.FromFileTime(dbentry.sia.siaAccess).ToString(), DateTime.FromFileTime(dbentry.sia.siaAlter).ToString(), DateTime.FromFileTime(dbentry.sia.siaMod).ToString(), DateTime.FromFileTime(dbentry.fia.fiaCreate).ToString(), DateTime.FromFileTime(dbentry.fia.fiaMod).ToString(), DateTime.FromFileTime(dbentry.fia.fiaAccess).ToString(), DateTime.FromFileTime(dbentry.fia.fiaAlter).ToString(), dbentry.fia.fiaAllocSize.ToString() }); } } catch (Exception ex) { //Program.Log("Debug"); } } else { //Program.Log("Debug"); return; //throw new ArgumentOutOfRangeException(); } }