public byte[] GetBytes(ushort majorNTFSVersion)
{
int length = (majorNTFSVersion == 3) ? LengthNTFS30 : LengthNTFS12;
byte[] recordBytes = new byte[LengthNTFS30];
LittleEndianWriter.WriteUInt32(recordBytes, 0x00, MajorVersion);
LittleEndianWriter.WriteUInt32(recordBytes, 0x04, MinorVersion);
LittleEndianWriter.WriteUInt64(recordBytes, 0x08, StartOfCheckpointLsn);
LittleEndianWriter.WriteUInt64(recordBytes, 0x10, OpenAttributeTableLsn);
LittleEndianWriter.WriteUInt64(recordBytes, 0x18, AttributeNamesLsn);
LittleEndianWriter.WriteUInt64(recordBytes, 0x20, DirtyPageTableLsn);
LittleEndianWriter.WriteUInt64(recordBytes, 0x28, TransactionTableLsn);
LittleEndianWriter.WriteUInt32(recordBytes, 0x30, OpenAttributeTableLength);
LittleEndianWriter.WriteUInt32(recordBytes, 0x34, AttributeNamesLength);
LittleEndianWriter.WriteUInt32(recordBytes, 0x38, DirtyPageTableLength);
LittleEndianWriter.WriteUInt32(recordBytes, 0x3C, TransactionTableLength);
if (length >= LengthNTFS30)
{
LittleEndianWriter.WriteUInt64(recordBytes, 0x40, Unknown1);
LittleEndianWriter.WriteUInt64(recordBytes, 0x48, PreviousRestartRecordLsn);
LittleEndianWriter.WriteUInt32(recordBytes, 0x50, BytesPerCluster);
UsnJournal.WriteBytes(recordBytes, 0x58);
LittleEndianWriter.WriteUInt64(recordBytes, 0x60, Unknown2);
if (length >= LengthVista)
{
LittleEndianWriter.WriteUInt64(recordBytes, 0x68, UnknownLsn);
}
}
return(recordBytes);
}
public override void WriteBytes(byte[] buffer, int offset)
{
int fileReferenceOffset = (m_majorVersion == 0) ? FileReferenceOffsetV0 : FileReferenceOffsetV1;
int lsnOfOpenRecordOffset = (m_majorVersion == 0) ? LsnOfOpenRecordOffsetV0 : LsnOfOpenRecordOffsetV1;
int dirtyPagesSeenOffset = (m_majorVersion == 0) ? DirtyPagesSeenOffsetV0 : DirtyPagesSeenOffsetV1;
int attributeTypeCodeOffset = (m_majorVersion == 0) ? AttributeTypeCodeOffsetV0 : AttributeTypeCodeOffsetV1;
int bytesPerIndexBufferOffset = (m_majorVersion == 0) ? BytesPerIndexBufferOffsetV0 : BytesPerIndexBufferOffsetV1;
LittleEndianWriter.WriteUInt32(buffer, offset + 0x00, AllocatedOrNextFree);
if (m_majorVersion == 0)
{
LittleEndianWriter.WriteUInt32(buffer, offset + 0x04, AttributeOffset);
}
FileReference.WriteBytes(buffer, offset + fileReferenceOffset);
LittleEndianWriter.WriteUInt64(buffer, offset + lsnOfOpenRecordOffset, LsnOfOpenRecord);
ByteWriter.WriteByte(buffer, offset + dirtyPagesSeenOffset, Convert.ToByte(DirtyPagesSeen));
if (m_majorVersion == 0)
{
// This field exists in NTFS v1.2, should be set to be false in NTFS v3.0+
ByteWriter.WriteByte(buffer, offset + 0x19, Convert.ToByte(AttributeNamePresent));
}
LittleEndianWriter.WriteUInt32(buffer, offset + attributeTypeCodeOffset, (uint)AttributeTypeCode);
LittleEndianWriter.WriteUInt64(buffer, offset + 0x20, PointerToAttributeName);
if (AttributeTypeCode == AttributeType.IndexAllocation)
{
LittleEndianWriter.WriteUInt32(buffer, offset + bytesPerIndexBufferOffset, BytesPerIndexBuffer);
}
}
/// <param name="segmentLength">This refers to the maximum length of FileRecord as defined in the Volume's BootRecord</param>
public byte[] GetBytes(int bytesPerFileRecordSegment, ushort minorNTFSVersion)
{
int strideCount = bytesPerFileRecordSegment / MultiSectorHelper.BytesPerStride;
ushort updateSequenceArraySize = (ushort)(1 + strideCount);
ushort updateSequenceArrayOffset;
if (minorNTFSVersion == 0)
{
updateSequenceArrayOffset = NTFS30UpdateSequenceArrayOffset;
}
else
{
updateSequenceArrayOffset = NTFS31UpdateSequenceArrayOffset;
}
MultiSectorHeader multiSectorHeader = new MultiSectorHeader(ValidSignature, updateSequenceArrayOffset, updateSequenceArraySize);
ushort firstAttributeOffset = GetFirstAttributeOffset(bytesPerFileRecordSegment, minorNTFSVersion);
byte[] buffer = new byte[bytesPerFileRecordSegment];
multiSectorHeader.WriteBytes(buffer, 0x00);
LittleEndianWriter.WriteUInt64(buffer, 0x08, LogFileSequenceNumber);
LittleEndianWriter.WriteUInt16(buffer, 0x10, m_sequenceNumber);
LittleEndianWriter.WriteUInt16(buffer, 0x12, ReferenceCount);
LittleEndianWriter.WriteUInt16(buffer, 0x14, firstAttributeOffset);
LittleEndianWriter.WriteUInt16(buffer, 0x16, (ushort)m_flags);
LittleEndianWriter.WriteInt32(buffer, 0x1C, bytesPerFileRecordSegment);
m_baseFileRecordSegment.WriteBytes(buffer, 0x20);
LittleEndianWriter.WriteUInt16(buffer, 0x28, NextAttributeInstance);
if (minorNTFSVersion == 1)
{
LittleEndianWriter.WriteUInt32(buffer, 0x2C, (uint)m_segmentNumber);
}
// write attributes
int position = firstAttributeOffset;
foreach (AttributeRecord attribute in m_immediateAttributes)
{
byte[] attributeBytes = attribute.GetBytes();
ByteWriter.WriteBytes(buffer, position, attributeBytes);
position += attributeBytes.Length;
}
byte[] marker = GetEndMarker();
ByteWriter.WriteBytes(buffer, position, marker);
position += marker.Length;
position += 4; // record (length) is aligned to 8-byte boundary
uint segmentLength = (uint)position;
LittleEndianWriter.WriteUInt32(buffer, 0x18, segmentLength);
// Write UpdateSequenceNumber and UpdateSequenceReplacementData
List <byte[]> updateSequenceReplacementData = MultiSectorHelper.EncodeSegmentBuffer(buffer, 0, bytesPerFileRecordSegment, UpdateSequenceNumber);
MultiSectorHelper.WriteUpdateSequenceArray(buffer, updateSequenceArrayOffset, updateSequenceArraySize, UpdateSequenceNumber, updateSequenceReplacementData);
return(buffer);
}
public void WriteBytes(byte[] buffer, int offset)
{
LittleEndianWriter.WriteUInt32(buffer, offset + 0x00, (uint)AttributeType);
LittleEndianWriter.WriteUInt16(buffer, offset + 0x04, (ushort)this.Length);
ByteWriter.WriteByte(buffer, offset + 0x06, (byte)AttributeName.Length);
ByteWriter.WriteByte(buffer, offset + 0x07, (byte)HeaderLength);
LittleEndianWriter.WriteUInt64(buffer, offset + 0x08, (ulong)LowestVCN);
SegmentReference.WriteBytes(buffer, offset + 0x10);
LittleEndianWriter.WriteUInt16(buffer, offset + 0x18, Instance);
ByteWriter.WriteUTF16String(buffer, offset + HeaderLength, AttributeName);
}
public void WriteBytes(byte[] buffer, int offset)
{
ushort entryLength = (ushort)this.Length;
FileReference.WriteBytes(buffer, offset + 0x00);
LittleEndianWriter.WriteUInt16(buffer, offset + 0x08, entryLength);
LittleEndianWriter.WriteUInt16(buffer, offset + 0x0A, (ushort)Key.Length);
LittleEndianWriter.WriteUInt16(buffer, offset + 0x0C, (ushort)Flags);
ByteWriter.WriteBytes(buffer, offset + 0x10, Key);
if (ParentNodeForm)
{
LittleEndianWriter.WriteUInt64(buffer, offset + entryLength - 8, (ulong)SubnodeVBN);
}
}
public byte[] GetBytes()
{
byte[] buffer = new byte[FixedLength + FileName.Length * 2];
ParentDirectory.WriteBytes(buffer, 0x00);
StandardInformationRecord.WriteDateTime(buffer, 0x08, CreationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x10, ModificationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x18, MftModificationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x20, LastAccessTime);
LittleEndianWriter.WriteUInt64(buffer, 0x28, AllocatedSize);
LittleEndianWriter.WriteUInt64(buffer, 0x30, RealSize);
ByteWriter.WriteByte(buffer, 0x40, (byte)FileName.Length);
ByteWriter.WriteByte(buffer, 0x41, (byte)Namespace);
ByteWriter.WriteBytes(buffer, 0x42, Encoding.Unicode.GetBytes(FileName));
return(buffer);
}
public byte[] GetBytes()
{
byte[] buffer = new byte[this.Length];
ParentDirectory.WriteBytes(buffer, 0x00);
StandardInformationRecord.WriteDateTime(buffer, 0x08, CreationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x10, ModificationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x18, MftModificationTime);
StandardInformationRecord.WriteDateTime(buffer, 0x20, LastAccessTime);
LittleEndianWriter.WriteUInt64(buffer, 0x28, AllocatedLength);
LittleEndianWriter.WriteUInt64(buffer, 0x30, FileSize);
LittleEndianWriter.WriteUInt32(buffer, 0x38, (uint)FileAttributes);
LittleEndianWriter.WriteUInt16(buffer, 0x3C, PackedEASize);
ByteWriter.WriteByte(buffer, 0x40, (byte)FileName.Length);
ByteWriter.WriteByte(buffer, 0x41, (byte)Flags);
ByteWriter.WriteBytes(buffer, 0x42, Encoding.Unicode.GetBytes(FileName));
return(buffer);
}
public byte[] GetBytes(int bytesPerFileRecordSegment, ushort minorNTFSVersion, bool applyUsaProtection)
{
int strideCount = bytesPerFileRecordSegment / MultiSectorHelper.BytesPerStride;
ushort updateSequenceArraySize = (ushort)(1 + strideCount);
ushort updateSequenceArrayOffset;
if (minorNTFSVersion == 0)
{
updateSequenceArrayOffset = NTFS30UpdateSequenceArrayOffset;
}
else
{
updateSequenceArrayOffset = NTFS31UpdateSequenceArrayOffset;
}
MultiSectorHeader multiSectorHeader = new MultiSectorHeader(ValidSignature, updateSequenceArrayOffset, updateSequenceArraySize);
ushort firstAttributeOffset = GetFirstAttributeOffset(bytesPerFileRecordSegment, minorNTFSVersion);
int length = applyUsaProtection ? bytesPerFileRecordSegment : GetNumberOfBytesInUse(bytesPerFileRecordSegment, minorNTFSVersion);
byte[] buffer = new byte[length];
multiSectorHeader.WriteBytes(buffer, 0x00);
LittleEndianWriter.WriteUInt64(buffer, 0x08, LogFileSequenceNumber);
LittleEndianWriter.WriteUInt16(buffer, 0x10, m_sequenceNumber);
LittleEndianWriter.WriteUInt16(buffer, 0x12, ReferenceCount);
LittleEndianWriter.WriteUInt16(buffer, 0x14, firstAttributeOffset);
LittleEndianWriter.WriteUInt16(buffer, 0x16, (ushort)m_flags);
LittleEndianWriter.WriteInt32(buffer, 0x1C, bytesPerFileRecordSegment);
m_baseFileRecordSegment.WriteBytes(buffer, 0x20);
LittleEndianWriter.WriteUInt16(buffer, 0x28, NextAttributeInstance);
if (minorNTFSVersion == 1)
{
LittleEndianWriter.WriteUInt32(buffer, 0x2C, (uint)m_segmentNumber);
}
LittleEndianWriter.WriteUInt32(buffer, updateSequenceArrayOffset, UpdateSequenceNumber);
// write attributes
int position = firstAttributeOffset;
foreach (AttributeRecord attribute in m_immediateAttributes)
{
byte[] attributeBytes = attribute.GetBytes();
ByteWriter.WriteBytes(buffer, position, attributeBytes);
position += attributeBytes.Length;
}
LittleEndianWriter.WriteUInt32(buffer, position, AttributesEndMarker);
position += AttributesEndMarkerLength; // End marker + alignment to 8-byte boundary
uint segmentLength = (uint)position;
LittleEndianWriter.WriteUInt32(buffer, 0x18, segmentLength);
if (applyUsaProtection)
{
MultiSectorHelper.ApplyUsaProtection(buffer, 0);
}
return(buffer);
}
