internal AttributeList(NonResident nonRes)
{
Name = (FileRecordAttribute.ATTR_TYPE)nonRes.Name;
NameString = nonRes.NameString;
NonResident = nonRes.NonResident;
AttributeId = nonRes.AttributeId;
AttributeSize = nonRes.AttributeSize;
#region AttributeReference
List <AttrRef> refList = new List <AttrRef>();
byte[] bytes = nonRes.GetBytes();
int i = 0;
while (i < bytes.Length)
{
AttrRef attrRef = new AttrRef(bytes, i);
refList.Add(attrRef);
i += attrRef.RecordLength;
}
AttributeReference = refList.ToArray();
#endregion AttributeReference
}
internal IndexAllocation(NonResident header, string volume)
{
// Headers
Name = (ATTR_TYPE)header.commonHeader.ATTRType;
NameString = header.NameString;
NonResident = header.commonHeader.NonResident;
AttributeId = header.commonHeader.Id;
// Get IndexAllocation Bytes
byte[] bytes = header.GetBytes(volume);
// Instantiate empty IndexEntry List
List<IndexEntry> indexEntryList = new List<IndexEntry>();
// Iterate through IndexBlocks (4096 bytes in size)
for (int offset = 0; offset < bytes.Length; offset += 4096)
{
// Detemine size of Update Sequence
ushort usOffset = BitConverter.ToUInt16(bytes, offset + 0x04);
ushort usSize = BitConverter.ToUInt16(bytes, offset + 0x06);
int indexBlockSize = usOffset + (usSize * 2);
if (indexBlockSize == 0)
{
break;
}
IndexBlock.ApplyFixup(ref bytes, offset);
// Instantiate IndexBlock Object (Header)
IndexBlock indexBlock = new IndexBlock(Helper.GetSubArray(bytes, offset, indexBlockSize));
if (indexBlock.Signature == "INDX")
{
// Create byte array for IndexEntry object
// 0x18 represents the offset of the EntryOffset value, so it must be added on
byte[] indexEntryBytes = Helper.GetSubArray(bytes, offset + (int)indexBlock.EntryOffset + 0x18, (int)indexBlock.TotalEntrySize);
int entryOffset = 0;
do
{
// Instantiate an IndexEntry Object
IndexEntry indexEntry = new IndexEntry(Helper.GetSubArray(indexEntryBytes, entryOffset, BitConverter.ToUInt16(indexEntryBytes, entryOffset + 0x08)));
entryOffset += indexEntry.Size;
// Check if entry is the last in the Entry array
if (indexEntry.Flags == 0x02 || indexEntry.Flags == 0x03)
{
break;
}
// Add IndexEntry Object to list
indexEntryList.Add(indexEntry);
} while (entryOffset < indexEntryBytes.Length);
}
}
Entries = indexEntryList.ToArray();
}
internal IndexAllocation(NonResident header, string volume)
{
// Headers
Name = (ATTR_TYPE)header.commonHeader.ATTRType;
NameString = header.NameString;
NonResident = header.commonHeader.NonResident;
AttributeId = header.commonHeader.Id;
AttributeSize = header.commonHeader.TotalSize;
// Get IndexAllocation Bytes
byte[] bytes = header.GetBytes();
// Instantiate empty IndexEntry List
List <IndexEntry> indexEntryList = new List <IndexEntry>();
// Iterate through IndexBlocks (4096 bytes in size)
for (int offset = 0; offset < bytes.Length; offset += 4096)
{
// Detemine size of Update Sequence
ushort usOffset = BitConverter.ToUInt16(bytes, offset + 0x04);
ushort usSize = BitConverter.ToUInt16(bytes, offset + 0x06);
int indexBlockSize = usOffset + (usSize * 2);
if (indexBlockSize == 0)
{
break;
}
IndexBlock.ApplyFixup(ref bytes, offset);
// Instantiate IndexBlock Object (Header)
IndexBlock indexBlock = new IndexBlock(Helper.GetSubArray(bytes, offset, indexBlockSize));
if (indexBlock.Signature == "INDX")
{
// Create byte array for IndexEntry object
// 0x18 represents the offset of the EntryOffset value, so it must be added on
byte[] indexEntryBytes = Helper.GetSubArray(bytes, offset + (int)indexBlock.EntryOffset + 0x18, (int)indexBlock.TotalEntrySize);
int entryOffset = 0;
do
{
// Instantiate an IndexEntry Object
IndexEntry indexEntry = new IndexEntry(Helper.GetSubArray(indexEntryBytes, entryOffset, BitConverter.ToUInt16(indexEntryBytes, entryOffset + 0x08)));
entryOffset += indexEntry.Size;
// Check if entry is the last in the Entry array
if (indexEntry.Flags == 0x02 || indexEntry.Flags == 0x03)
{
break;
}
// Add IndexEntry Object to list
indexEntryList.Add(indexEntry);
} while (entryOffset < indexEntryBytes.Length);
}
}
Entries = indexEntryList.ToArray();
}
private static UsnJrnl[] GetInstances(string volume, int recordnumber)
{
// Get VolumeBootRecord object for logical addressing
VolumeBootRecord VBR = VolumeBootRecord.Get(volume);
// Get FileRecord for C:\$Extend\$UsnJrnl
FileRecord record = FileRecord.Get(volume, recordnumber, true);
// Get the $J Data attribute (contains UsnJrnl records)
NonResident J = UsnJrnl.GetJStream(record);
// Instatiate a List of UsnJrnl entries
List <UsnJrnl> usnList = new List <UsnJrnl>();
for (int i = 0; i < J.DataRun.Length; i++)
{
if (!(J.DataRun[i].Sparse))
{
long clusterCount = J.DataRun[i].ClusterLength;
byte[] fragmentBytes = Helper.readDrive(volume, (J.DataRun[i].StartCluster * VBR.BytesPerCluster), (clusterCount * VBR.BytesPerCluster));
byte[] clusterBytes = new byte[VBR.BytesPerCluster];
for (int j = 0; j < clusterCount; j++)
{
Array.Copy(fragmentBytes, (int)(j * VBR.BytesPerCluster), clusterBytes, 0, clusterBytes.Length);
int offset = 0;
do
{
if (clusterBytes[offset] == 0)
{
break;
}
try
{
UsnJrnl usn = new UsnJrnl(clusterBytes, volume, ref offset);
if (usn.Version > USN40Version)
{
break;
}
usnList.Add(usn);
}
catch
{
break;
}
} while (offset >= 0 && offset < clusterBytes.Length);
}
}
}
// Return usnList as a UsnJrnl[]
return(usnList.ToArray());
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static byte[] getBytes(string volume)
{
// Get filestream based on hVolume
using (FileStream streamToRead = Helper.getFileStream(volume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
FileRecord logFileRecord = GetFileRecord(volume);
NonResident data = GetDataAttr(logFileRecord);
return(data.GetBytes());
}
}
public static byte[] getBytes(string volume)
{
// Get handle for volume
IntPtr hVolume = Util.getHandle(volume);
// Get filestream based on hVolume
using (FileStream streamToRead = Util.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
FileRecord logFileRecord = GetFileRecord(volume);
NonResident data = GetDataAttr(logFileRecord);
return(data.GetBytes(volume));
}
}