protected override void GetItem(string path) { if (GetDrive() == null) { return; } string normalized_path = NormalizePath(path); if (_item_cache.ContainsKey(normalized_path)) { ObjectDirectoryEntry entry = _item_cache[normalized_path]; WriteItemObject(entry, path, entry.IsDirectory); } else { using (NtDirectory dir = GetPathDirectory(path)) { ObjectDirectoryInformation dir_info = GetEntry(dir, path); if (dir_info != null) { WriteItemObject(new ObjectDirectoryEntry(GetDrive().DirectoryRoot, normalized_path, dir_info.Name, dir_info.TypeName), path.TrimStart('\\'), dir_info.IsDirectory); } } } }
private void BuildTree(ulong ptr, int parent) { ObjectDirectoryEntry objectDirectoryEntry = new ObjectDirectoryEntry(_profile, _dataProvider, virtualAddress: ptr); //uint objectDirectoryEntrySize = (uint)_profile.GetStructureSize("_OBJECT_DIRECTORY_ENTRY"); //var dll = _profile.GetStructureAssembly("_OBJECT_DIRECTORY_ENTRY"); //Type t = dll.GetType("liveforensics.OBJECT_DIRECTORY_ENTRY"); //byte[] buffer = _dataProvider.ReadMemoryBlock(ptr, _objectMap.ObjectDirectoryEntrySize); //GCHandle pinnedPacket = GCHandle.Alloc(buffer, GCHandleType.Pinned); //objectDirectoryEntry = Marshal.PtrToStructure(Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0), t); //pinnedPacket.Free(); ulong addr = (objectDirectoryEntry.Members.Object - _objectMap.ObjectHeaderSize) & 0xffffffffffff; ObjectHeader oh = new ObjectHeader(_profile, _dataProvider, addr); string name = _profile.GetObjectName(oh.TypeInfo); int index = _index++; if (name == "Directory") { ProcessDirectory(objectDirectoryEntry.Members.Object & 0xffffffffffff, index); } //if (oh.HeaderNameInfo != null) // name += ("\t" + oh.HeaderNameInfo.Name); //Debug.WriteLine("[" + parent + "][" + index + "]" + addr.ToString("X08") + " (0x" + oh.PhysicalAddress.ToString("X08") + ")(p)\t" + name); _objectMap.ObjectTreeRecords.Add(new ObjectTreeRecord() { ObjectHeaderVirtualAddress = addr, Parent = parent, Index = index }); ulong chainlinkPtr = (objectDirectoryEntry.Members.ChainLink) & 0xffffffffffff; if (chainlinkPtr != 0) { BuildTree(chainlinkPtr, parent); } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { return(ObjectNamespace.ReadSymlink(entry.FullPath)); } catch (System.ComponentModel.Win32Exception) { return(""); } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { return ObjectNamespace.ReadSymlink(entry.FullPath); } catch (System.ComponentModel.Win32Exception) { return ""; } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { return(ObjectNamespace.ReadSymlink(entry.FullPath)); } catch (NtException) { return(""); } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null)) { return(link.Target); } } catch (NtException) { return(""); } }
private void AddMatches(NtDirectory root, string base_path, IEnumerable<string> remaining, List<string> matches) { string current_entry = remaining.First(); bool is_leaf = remaining.Count() == 1; List<ObjectDirectoryInformation> matching_entries = new List<ObjectDirectoryInformation>(); if (root.IsAccessGranted(DirectoryAccessRights.Query)) { // If this is not a leaf point we don't care about non-directory entries. ObjectDirectoryInformation[] dir_infos = root.Query().Where(d => is_leaf || d.IsDirectory).ToArray(); foreach (ObjectDirectoryInformation dir_info in dir_infos) { if (dir_info.Name.Equals(current_entry, StringComparison.OrdinalIgnoreCase)) { matching_entries.Add(dir_info); break; } } // If we didn't find an explicit match then see if it's a glob. if (matching_entries.Count == 0 && HasGlobChars(current_entry)) { Regex globber = GlobToRegex(current_entry, false); foreach (ObjectDirectoryInformation dir_info in dir_infos) { if (globber.IsMatch(dir_info.Name)) { matching_entries.Add(dir_info); } } } } // Nothing matched. if (matching_entries.Count == 0) { return; } // We've reached the end of the road. if (is_leaf) { foreach (ObjectDirectoryInformation dir_info in matching_entries) { string full_path = base_path + dir_info.Name; _item_cache[full_path] = new ObjectDirectoryEntry(GetDrive().DirectoryRoot, NormalizePath(full_path), dir_info.Name, dir_info.TypeName); matches.Add(full_path); } } else { foreach (ObjectDirectoryInformation entry in matching_entries) { try { using (NtDirectory dir = NtDirectory.Open(entry.Name, root, DirectoryAccessRights.Query)) { AddMatches(dir, base_path + entry.Name + @"\", remaining.Skip(1), matches); } } catch (NtException) { } } } }
static string GetSymlinkTarget(ObjectDirectoryEntry entry) { try { using (NtSymbolicLink link = NtSymbolicLink.Open(entry.FullPath, null)) { return link.Target; } } catch (NtException) { return ""; } }
private void AddMatches(NtDirectory root, string base_path, IEnumerable <string> remaining, List <string> matches) { string current_entry = remaining.First(); bool is_leaf = remaining.Count() == 1; List <ObjectDirectoryInformation> matching_entries = new List <ObjectDirectoryInformation>(); if (root.IsAccessGranted(DirectoryAccessRights.Query)) { // If this is not a leaf point we don't care about non-directory entries. ObjectDirectoryInformation[] dir_infos = root.Query().Where(d => is_leaf || d.IsDirectory).ToArray(); foreach (ObjectDirectoryInformation dir_info in dir_infos) { if (dir_info.Name.Equals(current_entry, StringComparison.OrdinalIgnoreCase)) { matching_entries.Add(dir_info); break; } } // If we didn't find an explicit match then see if it's a glob. if (matching_entries.Count == 0 && HasGlobChars(current_entry)) { Regex globber = GlobToRegex(current_entry, false); foreach (ObjectDirectoryInformation dir_info in dir_infos) { if (globber.IsMatch(dir_info.Name)) { matching_entries.Add(dir_info); } } } } // Nothing matched. if (matching_entries.Count == 0) { return; } // We've reached the end of the road. if (is_leaf) { foreach (ObjectDirectoryInformation dir_info in matching_entries) { string full_path = base_path + dir_info.Name; _item_cache[full_path] = new ObjectDirectoryEntry(GetDrive().DirectoryRoot, NormalizePath(full_path), dir_info.Name, dir_info.TypeName); matches.Add(full_path); } } else { foreach (ObjectDirectoryInformation entry in matching_entries) { try { using (NtDirectory dir = NtDirectory.Open(entry.Name, root, DirectoryAccessRights.Query)) { AddMatches(dir, base_path + entry.Name + @"\", remaining.Skip(1), matches); } } catch (NtException) { } } } }