// Get Master File Table Bytes for "Get" Methods
// GetBytes will clean up IntPtr (Volume Handle) and FileStream objects
public static byte[] GetBytes(string volume)
{
// Get a handle to the specified volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Instatiate null byte array
byte[] mftBytes = null;
// Create FileStream to read from the Volume file handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Instantiate VolumeData object
VolumeData volData = new VolumeData(hVolume);
// Calculate byte offset to the Master File Table (MFT)
ulong mftOffset = ((ulong)volData.BytesPerCluster * volData.MFTStartCluster);
// Read bytes belonging to specified MFT Record and store in byte array
MFTRecord mftRecord = new MFTRecord(NativeMethods.readDrive(streamToRead, mftOffset, (ulong)volData.BytesPerMFTRecord));
mftBytes = MFTRecord.getFile(streamToRead, mftRecord);
}
NativeMethods.CloseHandle(hVolume);
// Return byte array representing the Master File Table
return(mftBytes);
}
// Get Master File Table Bytes for "GetInstance" Functions
// Caller is responsible for cleaning up streamToRead and hVolume
public static byte[] GetBytes(IntPtr hVolume, FileStream streamToRead)
{
// Instantiate VolumeData object
VolumeData volData = new VolumeData(hVolume);
// Calculate byte offset to the Master File Table (MFT)
ulong mftOffset = ((ulong)volData.BytesPerCluster * volData.MFTStartCluster);
// Read bytes belonging to specified MFT Record and store in byte array
MFTRecord mftRecord = new MFTRecord(NativeMethods.readDrive(streamToRead, mftOffset, (ulong)volData.BytesPerMFTRecord));
// Return byte array representing the Master File Table
return(MFTRecord.getFile(streamToRead, mftRecord));
}
internal static AttrDef[] GetInstances(string volumeName)
{
// Get correct volume name from user input
NativeMethods.getVolumeName(ref volumeName);
// Get handle to Logical Volume
IntPtr hVolume = NativeMethods.getHandle(volumeName);
// Instantiate a List of AttrDef objects for output
List <AttrDef> adList = new List <AttrDef>();
// Create a FileStream object for the Volume
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Instantiate a VolumeData object
VolumeData volData = new VolumeData(hVolume);
ulong attrDefOffset = ((volData.MFTStartCluster * (ulong)volData.BytesPerCluster) + ((ulong)volData.BytesPerMFTRecord * 4));
// Get the MFTRecord for the file with a record index of 4 ($AttrDef)
MFTRecord record = new MFTRecord(NativeMethods.readDrive(streamToRead, attrDefOffset, (ulong)volData.BytesPerMFTRecord));
// Get the content of the $AttrDef file in a byte array
byte[] bytes = MFTRecord.getFile(streamToRead, record);
// Iterate through 160 byte chunks (representing an AttrDef object)
for (int i = 0; (i < bytes.Length) && (bytes[i] != 0); i += 160)
{
byte[] attrDefBytes = new byte[160];
Array.Copy(bytes, i, attrDefBytes, 0, attrDefBytes.Length);
// Intantiate a new AttrDef object and add it to the adList List of AttrDef objects
adList.Add(new AttrDef(attrDefBytes));
}
}
NativeMethods.CloseHandle(hVolume);
// Return an array of AttrDef objects
return(adList.ToArray());
}