public LfsRestartArea(byte[] buffer, int offset) { CurrentLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x00); ushort logClients = LittleEndianConverter.ToUInt16(buffer, offset + 0x08); ClientFreeList = LittleEndianConverter.ToUInt16(buffer, offset + 0x0A); ClientInUseList = LittleEndianConverter.ToUInt16(buffer, offset + 0x0C); Flags = (LfsRestartFlags)LittleEndianConverter.ToUInt16(buffer, offset + 0x0E); SeqNumberBits = LittleEndianConverter.ToUInt32(buffer, offset + 0x10); RestartAreaLength = LittleEndianConverter.ToUInt16(buffer, offset + 0x14); ushort clientArrayOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x16); FileSize = LittleEndianConverter.ToUInt32(buffer, offset + 0x18); LastLsnDataLength = LittleEndianConverter.ToUInt32(buffer, offset + 0x20); RecordHeaderLength = LittleEndianConverter.ToUInt16(buffer, offset + 0x24); LogPageDataOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x26); if (clientArrayOffset >= 0x30) { RevisionNumber = LittleEndianConverter.ToUInt32(buffer, offset + 0x28); } int position = offset + clientArrayOffset; for (int index = 0; index < logClients; index++) { LfsClientRecord clientRecord = new LfsClientRecord(buffer, position); LogClientArray.Add(clientRecord); position += clientRecord.Length; } }
public LockElement(byte[] buffer, int offset) { Offset = LittleEndianConverter.ToUInt64(buffer, offset + 0); Length = LittleEndianConverter.ToUInt64(buffer, offset + 8); Flags = (LockFlags)LittleEndianConverter.ToUInt32(buffer, offset + 16); Reserved = LittleEndianConverter.ToUInt32(buffer, offset + 20); }
public FileRenameInformationType2(byte[] buffer, int offset) { ReplaceIfExists = Conversion.ToBoolean(ByteReader.ReadByte(buffer, offset + 0)); RootDirectory = LittleEndianConverter.ToUInt64(buffer, offset + 8); FileNameLength = LittleEndianConverter.ToUInt32(buffer, offset + 16); FileName = ByteReader.ReadUTF16String(buffer, offset + 20, (int)FileNameLength / 2); }
public OpenAttributeEntry(byte[] buffer, int offset, uint majorVersion) { m_majorVersion = majorVersion; int fileReferenceOffset = (m_majorVersion == 0) ? FileReferenceOffsetV0 : FileReferenceOffsetV1; int lsnOfOpenRecordOffset = (m_majorVersion == 0) ? LsnOfOpenRecordOffsetV0 : LsnOfOpenRecordOffsetV1; int dirtyPagesSeenOffset = (m_majorVersion == 0) ? DirtyPagesSeenOffsetV0 : DirtyPagesSeenOffsetV1; int attributeTypeCodeOffset = (m_majorVersion == 0) ? AttributeTypeCodeOffsetV0 : AttributeTypeCodeOffsetV1; int bytesPerIndexBufferOffset = (m_majorVersion == 0) ? BytesPerIndexBufferOffsetV0 : BytesPerIndexBufferOffsetV1; AllocatedOrNextFree = LittleEndianConverter.ToUInt32(buffer, offset + 0x00); if (majorVersion == 0) { AttributeOffset = LittleEndianConverter.ToUInt32(buffer, offset + 0x04); } FileReference = new MftSegmentReference(buffer, offset + fileReferenceOffset); LsnOfOpenRecord = LittleEndianConverter.ToUInt64(buffer, offset + lsnOfOpenRecordOffset); DirtyPagesSeen = Convert.ToBoolean(ByteReader.ReadByte(buffer, offset + dirtyPagesSeenOffset)); if (m_majorVersion == 0) { // This field exists in NTFS v1.2, will be false in NTFS v3.0+ AttributeNamePresent = Convert.ToBoolean(ByteReader.ReadByte(buffer, offset + 0x19)); } AttributeTypeCode = (AttributeType)LittleEndianConverter.ToUInt32(buffer, offset + attributeTypeCodeOffset); PointerToAttributeName = LittleEndianConverter.ToUInt64(buffer, offset + 0x20); if (AttributeTypeCode == AttributeType.IndexAllocation) { BytesPerIndexBuffer = LittleEndianConverter.ToUInt32(buffer, offset + bytesPerIndexBufferOffset); } }
public NTFSRestartRecord(byte[] recordBytes) { MajorVersion = LittleEndianConverter.ToUInt32(recordBytes, 0x00); MinorVersion = LittleEndianConverter.ToUInt32(recordBytes, 0x04); StartOfCheckpointLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x08); OpenAttributeTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x10); AttributeNamesLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x18); DirtyPageTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x20); TransactionTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x28); OpenAttributeTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x30); AttributeNamesLength = LittleEndianConverter.ToUInt32(recordBytes, 0x34); DirtyPageTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x38); TransactionTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x3C); if (recordBytes.Length >= LengthNTFS30) { Unknown1 = LittleEndianConverter.ToUInt64(recordBytes, 0x40); PreviousRestartRecordLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x48); BytesPerCluster = LittleEndianConverter.ToUInt32(recordBytes, 0x50); UsnJournal = new MftSegmentReference(recordBytes, 0x58); Unknown2 = LittleEndianConverter.ToUInt64(recordBytes, 0x60); if (recordBytes.Length >= LengthVista) { UnknownLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x68); } } }
public QueryFSSizeInfo(byte[] buffer, int offset) { TotalAllocationUnits = LittleEndianConverter.ToUInt64(buffer, 0); TotalFreeAllocationUnits = LittleEndianConverter.ToUInt64(buffer, 8); SectorsPerAllocationUnit = LittleEndianConverter.ToUInt32(buffer, 16); BytesPerSector = LittleEndianConverter.ToUInt32(buffer, 20); }
// Data run NULL terminator here // I've noticed that Windows Server 2003 puts 0x00 0x01 here for the $MFT FileRecord, seems to have no effect // (I've set it to 0 for the $MFT FileRecord in the MFT and the MFT mirror, and chkdsk did not report a problem. public NonResidentAttributeRecord(byte[] buffer, int offset) : base(buffer, offset) { LowestVCN = (long)LittleEndianConverter.ToUInt64(buffer, offset + 0x10); HighestVCN = (long)LittleEndianConverter.ToUInt64(buffer, offset + 0x18); ushort mappingPairsOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x20); CompressionUnitSize = LittleEndianConverter.ToUInt16(buffer, offset + 0x22); ulong allocatedLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x28); FileSize = LittleEndianConverter.ToUInt64(buffer, offset + 0x30); ValidDataLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x38); int position = offset + mappingPairsOffset; while (position < offset + this.StoredRecordLength) { DataRun run = new DataRun(); int length = run.Read(buffer, position); position += length; // Length 1 means there was only a header byte (i.e. terminator) if (length == 1) { break; } m_dataRunSequence.Add(run); } if ((HighestVCN - LowestVCN + 1) != m_dataRunSequence.DataClusterCount) { throw new InvalidDataException("Invalid non-resident attribute record"); } }
public SMB2Header(byte[] buffer, int offset) { ProtocolId = ByteReader.ReadBytes(buffer, offset + 0, 4); StructureSize = LittleEndianConverter.ToUInt16(buffer, offset + 4); CreditCharge = LittleEndianConverter.ToUInt16(buffer, offset + 6); Status = (NTStatus)LittleEndianConverter.ToUInt32(buffer, offset + 8); Command = (SMB2CommandName)LittleEndianConverter.ToUInt16(buffer, offset + 12); Credits = LittleEndianConverter.ToUInt16(buffer, offset + 14); Flags = (SMB2PacketHeaderFlags)LittleEndianConverter.ToUInt32(buffer, offset + 16); NextCommand = LittleEndianConverter.ToUInt32(buffer, offset + 20); MessageID = LittleEndianConverter.ToUInt64(buffer, offset + 24); if ((Flags & SMB2PacketHeaderFlags.AsyncCommand) > 0) { AsyncID = LittleEndianConverter.ToUInt64(buffer, offset + 32); } else { Reserved = LittleEndianConverter.ToUInt32(buffer, offset + 32); TreeID = LittleEndianConverter.ToUInt32(buffer, offset + 36); } SessionID = LittleEndianConverter.ToUInt64(buffer, offset + 40); if ((Flags & SMB2PacketHeaderFlags.Signed) > 0) { Signature = ByteReader.ReadBytes(buffer, offset + 48, 16); } }
public PipeWaitRequest(byte[] buffer, int offset) { Timeout = LittleEndianConverter.ToUInt64(buffer, offset + 0); NameLength = LittleEndianConverter.ToUInt32(buffer, offset + 8); TimeSpecified = Convert.ToBoolean(ByteReader.ReadByte(buffer, offset + 12)); Padding = ByteReader.ReadByte(buffer, offset + 13); Name = ByteReader.ReadUTF16String(buffer, offset + 14, (int)(NameLength / 2)); }
public FileRecordSegment(byte[] buffer, int offset, int bytesPerSector, long segmentNumber) { Signature = ByteReader.ReadAnsiString(buffer, offset + 0x00, 4); ushort updateSequenceArrayOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x04); ushort updateSequenceArraySize = LittleEndianConverter.ToUInt16(buffer, offset + 0x06); LogFileSequenceNumber = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); SequenceNumber = LittleEndianConverter.ToUInt16(buffer, offset + 0x10); HardLinkCount = LittleEndianConverter.ToUInt16(buffer, offset + 0x12); ushort firstAttributeOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x14); m_flags = (FileRecordFlags)LittleEndianConverter.ToUInt16(buffer, offset + 0x16); uint segmentRealSize = LittleEndianConverter.ToUInt32(buffer, offset + 0x18); uint segmentAllocatedSize = LittleEndianConverter.ToUInt32(buffer, offset + 0x1C); BaseFileRecordSegmentNumber = LittleEndianConverter.ToUInt64(buffer, offset + 0x20); NextAttributeId = LittleEndianConverter.ToUInt16(buffer, offset + 0x28); // 2 zeros - padding MftSegmentNumberXP = LittleEndianConverter.ToUInt32(buffer, offset + 0x2C); // There is an UpdateSequenceNumber for the FileRecordSegment, // and an entry in the UpdateSequenceArray for each sector of the record // The last two bytes of each sector contains this entry for integrity-check purposes int position = offset + updateSequenceArrayOffset; UpdateSequenceNumber = LittleEndianConverter.ToUInt16(buffer, position); position += 2; // This stores the data that was supposed to be placed at the end of each sector, and was replaced with an UpdateSequenceNumber List <byte[]> updateSequenceReplacementData = new List <byte[]>(); for (int index = 0; index < updateSequenceArraySize - 1; index++) { byte[] endOfSectorBytes = new byte[2]; endOfSectorBytes[0] = buffer[position + 0]; endOfSectorBytes[1] = buffer[position + 1]; updateSequenceReplacementData.Add(endOfSectorBytes); position += 2; } MultiSectorHelper.DecodeSegmentBuffer(buffer, offset, UpdateSequenceNumber, updateSequenceReplacementData); // read attributes position = offset + firstAttributeOffset; while (!IsEndMarker(buffer, position)) { AttributeRecord attribute = AttributeRecord.FromBytes(buffer, position); m_immediateAttributes.Add(attribute); position += (int)attribute.StoredRecordLength; if (position > buffer.Length) { throw new InvalidDataException("Improper attribute length"); } } m_mftSegmentNumber = segmentNumber; }
public GuidPartitionEntry(byte[] buffer, int offset) { PartitionTypeGuid = LittleEndianConverter.ToGuid(buffer, offset + 0); PartitionGuid = LittleEndianConverter.ToGuid(buffer, offset + 16); FirstLBA = LittleEndianConverter.ToUInt64(buffer, offset + 32); LastLBA = LittleEndianConverter.ToUInt64(buffer, offset + 40); AttributeFlags = LittleEndianConverter.ToUInt64(buffer, offset + 48); PartitionName = UnicodeEncoding.Unicode.GetString(ByteReader.ReadBytes(buffer, offset + 56, 72)).TrimEnd('\0'); }
public FileFsControlInformation(byte[] buffer, int offset) { FreeSpaceStartFiltering = LittleEndianConverter.ToInt64(buffer, offset + 0); FreeSpaceThreshold = LittleEndianConverter.ToInt64(buffer, offset + 8); FreeSpaceStopFiltering = LittleEndianConverter.ToInt64(buffer, offset + 16); DefaultQuotaThreshold = LittleEndianConverter.ToUInt64(buffer, offset + 24); DefaultQuotaLimit = LittleEndianConverter.ToUInt64(buffer, offset + 32); FileSystemControlFlags = (FileSystemControlFlags)LittleEndianConverter.ToUInt32(buffer, offset + 40); Padding = LittleEndianConverter.ToUInt32(buffer, offset + 44); }
public TransactionEntry(byte[] buffer, int offset) { AllocatedOrNextFree = LittleEndianConverter.ToUInt32(buffer, offset + 0x00); TransactionState = (TransactionState)ByteReader.ReadByte(buffer, offset + 0x04); FirstLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); PreviousLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x10); UndoNextLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x18); UndoRecords = LittleEndianConverter.ToUInt32(buffer, offset + 0x20); UndoBytes = LittleEndianConverter.ToInt32(buffer, offset + 0x24); }
public SMB2TransformHeader(byte[] buffer, int offset) { ProtocolId = ByteReader.ReadBytes(buffer, offset + 0, 4); Signature = ByteReader.ReadBytes(buffer, offset + 4, SignatureLength); Nonce = ByteReader.ReadBytes(buffer, offset + 20, NonceLength); OriginalMessageSize = LittleEndianConverter.ToUInt32(buffer, offset + 36); Reserved = LittleEndianConverter.ToUInt16(buffer, offset + 40); Flags = (SMB2TransformHeaderFlags)LittleEndianConverter.ToUInt16(buffer, offset + 42); SessionId = LittleEndianConverter.ToUInt64(buffer, offset + 44); }
public AttributeDefinitionEntry(byte[] buffer, int offset) { AttributeName = ByteReader.ReadUTF16String(buffer, offset + 0x00, AttributeNameLength).TrimEnd(new char[] { '\0' }); AttributeType = (AttributeType)LittleEndianConverter.ToUInt32(buffer, offset + 0x80); DisplayRule = LittleEndianConverter.ToUInt32(buffer, offset + 0x84); CollationRule = (CollationRule)LittleEndianConverter.ToUInt32(buffer, offset + 0x88); Flags = (AttributeDefinitionFlags)LittleEndianConverter.ToUInt32(buffer, offset + 0x8C); MinimumLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x90); MaximumLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x98); }
public DuplicatedInformation(byte[] buffer, int offset) { CreationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x00); ModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x08); MftModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x10); LastAccessTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x18); AllocatedLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x20); FileSize = LittleEndianConverter.ToUInt64(buffer, offset + 0x28); FileAttributes = (FileAttributes)LittleEndianConverter.ToUInt32(buffer, offset + 0x30); PackedEASize = LittleEndianConverter.ToUInt16(buffer, offset + 0x34); }
public LfsClientRecord(byte[] buffer, int offset) { OldestLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x00); ClientRestartLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); PrevClient = LittleEndianConverter.ToUInt16(buffer, offset + 0x10); NextClient = LittleEndianConverter.ToUInt16(buffer, offset + 0x12); SeqNumber = LittleEndianConverter.ToUInt16(buffer, offset + 0x14); uint clientNameLength = LittleEndianConverter.ToUInt16(buffer, offset + 0x1C); ClientName = ByteReader.ReadUTF16String(buffer, offset + 0x20, (int)(clientNameLength / 2)); }
public RootStructure(byte[] buffer, int offset) { ibFileEOF = LittleEndianConverter.ToUInt64(buffer, offset + 4); ibAMapLast = LittleEndianConverter.ToUInt64(buffer, offset + 12); cbAMapFree = LittleEndianConverter.ToUInt64(buffer, offset + 20); cbPMapFree = LittleEndianConverter.ToUInt64(buffer, offset + 28); BREFNBT = new BlockRef(buffer, offset + 36); BREFBBT = new BlockRef(buffer, offset + 52); fAMapValid = ByteReader.ReadByte(buffer, offset + 68); bReserved = ByteReader.ReadByte(buffer, offset + 69); wReserved = LittleEndianConverter.ToUInt16(buffer, offset + 70); }
public LogRecord(byte[] buffer, int offset) { ThisLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x00); ClientPreviousLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); ClientUndoNextLsn = LittleEndianConverter.ToUInt64(buffer, offset + 0x10); uint clientDataLength = LittleEndianConverter.ToUInt32(buffer, offset + 0x18); ClientSeqNumber = LittleEndianConverter.ToUInt16(buffer, offset + 0x1C); ClientIndex = LittleEndianConverter.ToUInt16(buffer, offset + 0x1E); RecordType = (LogRecordType)LittleEndianConverter.ToUInt32(buffer, offset + 0x20); TransactionId = LittleEndianConverter.ToUInt32(buffer, offset + 0x24); Flags = (LogRecordFlags)LittleEndianConverter.ToUInt16(buffer, offset + 0x28); Data = ByteReader.ReadBytes(buffer, offset + HeaderLength, (int)clientDataLength); }
public AttributeListEntry(byte[] buffer, int offset) { AttributeType = (AttributeType)LittleEndianConverter.ToUInt32(buffer, offset + 0x00); Length = LittleEndianConverter.ToUInt16(buffer, offset + 0x04); NameLength = buffer[offset + 0x06]; NameOffset = buffer[offset + 0x07]; LowestVCN = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); SegmentReference = new MftSegmentReference(buffer, offset + 0x10); AttributeID = LittleEndianConverter.ToUInt16(buffer, offset + 0x18); if (NameLength > 0) { AttributeName = UnicodeEncoding.Unicode.GetString(buffer, offset + NameOffset, NameLength); } }
public FileNameRecord(byte[] buffer, int offset) { ParentDirectory = new MftSegmentReference(buffer, offset + 0x00); CreationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x08); ModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x10); MftModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x18); LastAccessTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x20); AllocatedSize = LittleEndianConverter.ToUInt64(buffer, offset + 0x28); RealSize = LittleEndianConverter.ToUInt64(buffer, offset + 0x30); byte fnLen = ByteReader.ReadByte(buffer, offset + 0x40); Namespace = (FilenameNamespace)ByteReader.ReadByte(buffer, offset + 0x41); FileName = Encoding.Unicode.GetString(buffer, offset + 0x42, fnLen * 2); }
public NTFSRestartRecord(byte[] recordBytes) { MajorVersion = LittleEndianConverter.ToUInt32(recordBytes, 0x00); MinorVersion = LittleEndianConverter.ToUInt32(recordBytes, 0x04); StartOfCheckpointLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x08); OpenAttributeTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x10); AttributeNamesLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x18); DirtyPageTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x20); TransactionTableLsn = LittleEndianConverter.ToUInt64(recordBytes, 0x28); OpenAttributeTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x30); AttributeNamesLength = LittleEndianConverter.ToUInt32(recordBytes, 0x34); DirtyPageTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x38); TransactionTableLength = LittleEndianConverter.ToUInt32(recordBytes, 0x3C); }
public WriteRequest(byte[] buffer, int offset) : base(buffer, offset) { StructureSize = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 0); DataOffset = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 2); DataLength = LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 4); Offset = LittleEndianConverter.ToUInt64(buffer, offset + SMB2Header.Length + 8); FileId = new FileID(buffer, offset + SMB2Header.Length + 16); Channel = LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 32); RemainingBytes = LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 36); WriteChannelInfoOffset = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 40); WriteChannelInfoLength = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 42); Flags = (WriteFlags)LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 44); Data = ByteReader.ReadBytes(buffer, offset + DataOffset, (int)DataLength); WriteChannelInfo = ByteReader.ReadBytes(buffer, offset + WriteChannelInfoOffset, WriteChannelInfoLength); }
public FileIdFullDirectoryInformation(byte[] buffer, int offset) : base(buffer, offset) { CreationTime = DateTime.FromFileTimeUtc(LittleEndianConverter.ToInt64(buffer, offset + 8)); LastAccessTime = DateTime.FromFileTimeUtc(LittleEndianConverter.ToInt64(buffer, offset + 16)); LastWriteTime = DateTime.FromFileTimeUtc(LittleEndianConverter.ToInt64(buffer, offset + 24)); ChangeTime = DateTime.FromFileTimeUtc(LittleEndianConverter.ToInt64(buffer, offset + 32)); EndOfFile = LittleEndianConverter.ToInt64(buffer, offset + 40); AllocationSize = LittleEndianConverter.ToInt64(buffer, offset + 48); FileAttributes = (FileAttributes)LittleEndianConverter.ToUInt32(buffer, offset + 56); FileNameLength = LittleEndianConverter.ToUInt32(buffer, offset + 60); EaSize = LittleEndianConverter.ToUInt32(buffer, offset + 64); Reserved = LittleEndianConverter.ToUInt32(buffer, offset + 68); FileId = LittleEndianConverter.ToUInt64(buffer, offset + 72); FileName = ByteReader.ReadUTF16String(buffer, offset + 80, (int)FileNameLength / 2); }
public SessionSetupRequest(byte[] buffer, int offset) : base(buffer, offset) { StructureSize = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 0); Flags = (SessionSetupFlags)ByteReader.ReadByte(buffer, offset + SMB2Header.Length + 2); SecurityMode = (SecurityMode)ByteReader.ReadByte(buffer, offset + SMB2Header.Length + 3); Capabilities = (ServerCapabilities)LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 4); Channel = LittleEndianConverter.ToUInt32(buffer, offset + SMB2Header.Length + 8); SecurityBufferOffset = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 12); SecurityBufferLength = LittleEndianConverter.ToUInt16(buffer, offset + SMB2Header.Length + 14); PreviousSessionId = LittleEndianConverter.ToUInt64(buffer, offset + SMB2Header.Length + 16); if (SecurityBufferLength > 0) { SecurityBuffer = ByteReader.ReadBytes(buffer, offset + SecurityBufferOffset, SecurityBufferLength); } }
public Section64(byte[] buffer, int offset) { SectionName = ByteReader.ReadAnsiString(buffer, offset + 0, 16).Trim('\0'); SegmentName = ByteReader.ReadAnsiString(buffer, offset + 16, 16).Trim('\0'); Address = LittleEndianConverter.ToUInt64(buffer, offset + 32); Size = LittleEndianConverter.ToUInt64(buffer, offset + 40); Offset = LittleEndianConverter.ToUInt32(buffer, offset + 48); Align = LittleEndianConverter.ToUInt32(buffer, offset + 52); RelocationOffset = LittleEndianConverter.ToUInt32(buffer, offset + 56); NumberOfRelocationOffsets = LittleEndianConverter.ToUInt32(buffer, offset + 60); Flags = LittleEndianConverter.ToUInt32(buffer, offset + 64); Reserved1 = LittleEndianConverter.ToUInt32(buffer, offset + 68); Reserved2 = LittleEndianConverter.ToUInt32(buffer, offset + 72); Reserved3 = LittleEndianConverter.ToUInt32(buffer, offset + 76); }
public long SubnodeVCN; // if PointsToSubnode flag is set, stored as ulong but can be represented using long public IndexNodeEntry(byte[] buffer, ref int offset) { SegmentReference = new MftSegmentReference(buffer, offset + 0x00); ushort recordLength = LittleEndianConverter.ToUInt16(buffer, offset + 0x08); ushort keyLength = LittleEndianConverter.ToUInt16(buffer, offset + 0x0A); Flags = (IndexEntryFlags)LittleEndianConverter.ToUInt16(buffer, offset + 0x0C); Key = ByteReader.ReadBytes(buffer, offset + 0x10, keyLength); if (PointsToSubnode) { // key is padded to align to 8 byte boundary int keyLengthWithPadding = (int)Math.Ceiling((double)keyLength / 8) * 8; SubnodeVCN = (long)LittleEndianConverter.ToUInt64(buffer, offset + 0x10 + keyLengthWithPadding); } offset += recordLength; }
public FileNameRecord(byte[] buffer, int offset) { ParentDirectory = new MftSegmentReference(buffer, offset + 0x00); CreationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x08); ModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x10); MftModificationTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x18); LastAccessTime = StandardInformationRecord.ReadDateTime(buffer, offset + 0x20); AllocatedLength = LittleEndianConverter.ToUInt64(buffer, offset + 0x28); FileSize = LittleEndianConverter.ToUInt64(buffer, offset + 0x30); FileAttributes = (FileAttributes)LittleEndianConverter.ToUInt32(buffer, offset + 0x38); PackedEASize = LittleEndianConverter.ToUInt16(buffer, offset + 0x3C); byte fileNameLength = ByteReader.ReadByte(buffer, offset + 0x40); Flags = (FileNameFlags)ByteReader.ReadByte(buffer, offset + 0x41); FileName = Encoding.Unicode.GetString(buffer, offset + 0x42, fileNameLength * 2); }
public GuidPartitionTableHeader(byte[] buffer) { Signature = ByteReader.ReadAnsiString(buffer, 0, 8); Revision = LittleEndianConverter.ToUInt32(buffer, 8); HeaderSize = LittleEndianConverter.ToUInt32(buffer, 12); CRC32 = LittleEndianConverter.ToUInt32(buffer, 16); CurrentLBA = LittleEndianConverter.ToUInt64(buffer, 24); BackupLBA = LittleEndianConverter.ToUInt64(buffer, 32); FirstUsableLBA = LittleEndianConverter.ToUInt64(buffer, 40); LastUsableLBA = LittleEndianConverter.ToUInt64(buffer, 48); DiskGuid = LittleEndianConverter.ToGuid(buffer, 56); PartitionEntriesLBA = LittleEndianConverter.ToUInt64(buffer, 72); NumberOfPartitionEntries = LittleEndianConverter.ToUInt32(buffer, 80); SizeOfPartitionEntry = LittleEndianConverter.ToUInt32(buffer, 84); PartitionArrayCRC32 = LittleEndianConverter.ToUInt32(buffer, 88); }
public IndexRecord(byte[] buffer, int offset) { Signature = ByteReader.ReadAnsiString(buffer, offset + 0x00, 4); if (Signature != ValidSignature) { throw new InvalidDataException("Invalid INDX record signature"); } ushort updateSequenceArrayOffset = LittleEndianConverter.ToUInt16(buffer, offset + 0x04); ushort updateSequenceArraySize = LittleEndianConverter.ToUInt16(buffer, offset + 0x06); LogFileSequenceNumber = LittleEndianConverter.ToUInt64(buffer, offset + 0x08); RecordVCN = LittleEndianConverter.ToUInt64(buffer, offset + 0x10); EntriesOffset = LittleEndianConverter.ToUInt32(buffer, offset + 0x18); IndexLength = LittleEndianConverter.ToUInt32(buffer, offset + 0x1C); AllocatedLength = LittleEndianConverter.ToUInt32(buffer, offset + 0x20); HasChildren = ByteReader.ReadByte(buffer, offset + 0x24) > 0; int position = offset + updateSequenceArrayOffset; UpdateSequenceNumber = LittleEndianConverter.ToUInt16(buffer, position); position += 2; List <byte[]> updateSequenceReplacementData = new List <byte[]>(); for (int index = 0; index < updateSequenceArraySize - 1; index++) { byte[] endOfSectorBytes = new byte[2]; endOfSectorBytes[0] = buffer[position + 0]; endOfSectorBytes[1] = buffer[position + 1]; updateSequenceReplacementData.Add(endOfSectorBytes); position += 2; } MultiSectorHelper.DecodeSegmentBuffer(buffer, offset, UpdateSequenceNumber, updateSequenceReplacementData); position = 0x18 + (int)EntriesOffset; if (HasChildren) { IndexNode node = new IndexNode(buffer, position); IndexEntries = node.Entries; } else { FileNameIndexLeafNode leaf = new FileNameIndexLeafNode(buffer, position); FileNameEntries = leaf.Entries; } }