internal unsafe void *GetResidentAttributeValue(NtfsAttributeType kind, out NtfsResidentAttribute *attributeHeader, uint order = 1) { Stream dataStream; attributeHeader = (NtfsResidentAttribute *)GetAttribute(kind, out dataStream, order); attributeHeader->AssertResident(); return((null == attributeHeader) ? null : attributeHeader->GetValue()); }
private static unsafe void _Dump(NtfsAttributeListAttribute *from, DumpCallbackDelegate callback) { if (null == from) { throw new ArgumentNullException(); } if (NtfsAttributeType.AttributeAttributeList != from->Header.AttributeType) { throw new ArgumentException(); } IPartitionClusterData disposableData = null; ListEntry * listBase = null; uint listLength; try { if (from->Header.IsResident) { NtfsResidentAttribute *listAttribute = (NtfsResidentAttribute *)from; listBase = (ListEntry *)((byte *)from + listAttribute->ValueOffset); listLength = listAttribute->ValueLength; } else { NtfsNonResidentAttribute *listAttribute = (NtfsNonResidentAttribute *)from; disposableData = listAttribute->GetData(); if (null == disposableData) { throw new ApplicationException(); } listBase = (ListEntry *)disposableData.Data; ulong candidateLength = listAttribute->DataSize; if (uint.MaxValue < candidateLength) { throw new ApplicationException(); } listLength = (uint)candidateLength; } if (null == listBase) { throw new ApplicationException(); } uint offset = 0; while (offset < listLength) { ListEntry *entry = (ListEntry *)((byte *)listBase + offset); callback(entry); offset += entry->EntryLength; } } finally { if (null != disposableData) { disposableData.Dispose(); } } }
internal unsafe void BinaryDumpContent() { Stream attributeDataStream = null; try { NtfsAttribute *dataAttribute = GetAttribute(NtfsAttributeType.AttributeData, out attributeDataStream); if (null == dataAttribute) { throw new ApplicationException(); } if (dataAttribute->IsResident) { NtfsResidentAttribute *realDataAttribute = (NtfsResidentAttribute *)dataAttribute; Helpers.BinaryDump((byte *)realDataAttribute + realDataAttribute->ValueOffset, realDataAttribute->ValueLength); } else { NtfsNonResidentAttribute *realDataAttribute = (NtfsNonResidentAttribute *)dataAttribute; byte[] localBuffer = new byte[16 * 1024]; fixed(byte *pBuffer = localBuffer) { if (null == attributeDataStream) { attributeDataStream = realDataAttribute->OpenDataStream(); } while (true) { int readLength = attributeDataStream.Read(localBuffer, 0, localBuffer.Length); if (-1 == readLength) { break; } Helpers.BinaryDump(pBuffer, (uint)readLength); if (readLength < localBuffer.Length) { break; } } } } } finally { if (null != attributeDataStream) { attributeDataStream.Close(); } } }
private unsafe void _Run() { NtfsPartition partition = Partition; IPartitionClusterData clusterData = null; try { // Note : We could also use the NtfsWellKnownMetadataFiles.Extend entry to // locate the directory, then find the $UsnJrnl entry directly from there. string fileName = @"$UsnJrnl"; NtfsIndexEntryHeader *fileDescriptor = partition.FindFile(fileName, NtfsWellKnownMetadataFiles.Extend); if (null == fileDescriptor) { throw new System.IO.FileNotFoundException(fileName); } IPartitionClusterData fileData = null; try { NtfsFileRecord *fileRecord = partition.GetFileRecord(fileDescriptor->FileReference, ref fileData); fileRecord->AssertRecordType(); // We retrieve the first attribute here. Stream dataStream; NtfsAttribute *jAttribute = fileRecord->GetAttribute(NtfsAttributeType.AttributeData, out dataStream, 1, _isDollarJAttributeNameFilter); if (null == jAttribute) { throw new ApplicationException(); } if (jAttribute->IsResident) { // Seems this is never the case. throw new NotSupportedException("CODE REVIEW REQUIRED"); } NtfsNonResidentAttribute *jNrAttribute = (NtfsNonResidentAttribute *)jAttribute; jNrAttribute->Dump(); byte[] buffer = new byte[NtfsPartition.Current.ClusterSize]; DateTime sparseReadStartTime = DateTime.UtcNow; TimeSpan sparseReadDuration; if (null == dataStream) { dataStream = jNrAttribute->OpenDataStream(); throw new ApplicationException("CODE REVIEW REQUIRED"); } int totalReads = 0; bool nonNullByteFound = false; while (true) { int readCount = dataStream.Read(buffer, 0, buffer.Length); if (-1 == readCount) { sparseReadDuration = DateTime.UtcNow - sparseReadStartTime; break; } if (nonNullByteFound) { for (int index = 0; index < readCount; index++) { if (0 == buffer[index]) { continue; } sparseReadDuration = DateTime.UtcNow - sparseReadStartTime; Console.WriteLine("{0} null leading bytes found after {1} secs.", totalReads + index, (int)sparseReadDuration.TotalSeconds); nonNullByteFound = true; break; } } totalReads += readCount; if (nonNullByteFound) { Helpers.BinaryDump(buffer, (uint)readCount); } } if (!nonNullByteFound) { sparseReadDuration = DateTime.UtcNow - sparseReadStartTime; Console.WriteLine("{0} null leading bytes found after {1} secs.", totalReads, (int)sparseReadDuration.TotalSeconds); } throw new NotImplementedException(); NtfsAttribute *rawAttribute = fileRecord->GetAttribute(NtfsAttributeType.AttributeData, out dataStream, 1); if (null == rawAttribute) { throw new ApplicationException(); } if ("$Max" != rawAttribute->Name) { throw new ApplicationException(); } if (rawAttribute->IsResident) { NtfsResidentAttribute *reMaxAttribute = (NtfsResidentAttribute *)rawAttribute; if (FeaturesContext.InvariantChecksEnabled) { if (0x20 != reMaxAttribute->ValueLength) { throw new ApplicationException(); } } MaxAttribute *maxAttribute = (MaxAttribute *)((byte *)reMaxAttribute + reMaxAttribute->ValueOffset); } else { throw new NotSupportedException(); } rawAttribute = fileRecord->GetAttribute(NtfsAttributeType.AttributeData, out dataStream, 2); if (null == rawAttribute) { throw new ApplicationException(); } if ("$J" != rawAttribute->Name) { throw new ApplicationException(); } throw new NotImplementedException(); } finally { if (null != fileData) { fileData.Dispose(); } } } finally { if (null != clusterData) { clusterData.Dispose(); } } }
/// <summary></summary> /// <param name="from">The NtfsAttributeListAttribute to be used for enumeration.</param> /// <param name="searchedAttributeType">The type of the searched attribute or /// <see cref="NtfsAttributeType.Any"/> if the caller is interested in all kinds of /// attributes.</param> /// <param name="listEntryHandler">A callback to be invoked on each entry matching /// the attribute type selection criteria.</param> /// <remarks>WARNING : This might seems counterintuitive to have this method at a class /// level instead of making it an instance one. This is because we absolutely don't want /// it to be invoked on an object reference that is subject to being moved in memory by /// the GC. Forcing the caller to provide a pointer makes her responsible for enforcing /// the pinning requirements.</remarks> internal static unsafe void EnumerateEntries(NtfsAttribute *from, NtfsAttributeType searchedAttributeType, EntryEnumeratorCallbackDelegate listEntryHandler) { if (null == from) { throw new ArgumentNullException(); } if (NtfsAttributeType.AttributeAttributeList != from->AttributeType) { throw new ArgumentException(); } IPartitionClusterData listAttributeData = null; // Address of first ListeEntry item for this attribute. ListEntry *listBase = null; uint listLength; try { if (from->IsResident) { NtfsResidentAttribute *listAttribute = (NtfsResidentAttribute *)from; listBase = (ListEntry *)((byte *)from + listAttribute->ValueOffset); listLength = listAttribute->ValueLength; } else { NtfsNonResidentAttribute *listAttribute = (NtfsNonResidentAttribute *)from; listAttributeData = listAttribute->GetData(); if (null == listAttributeData) { throw new ApplicationException(); } listBase = (ListEntry *)listAttributeData.Data; ulong candidateLength = listAttribute->DataSize; if (uint.MaxValue < candidateLength) { throw new ApplicationException(); } listLength = (uint)candidateLength; } if (null == listBase) { throw new ApplicationException(); } NtfsAttributeType currentAttributeType = NtfsAttributeType.Any; ushort currentAttributeNumber = ushort.MaxValue; ListEntry * scannedEntry; for (uint offset = 0; offset < listLength; offset += scannedEntry->EntryLength) { scannedEntry = (ListEntry *)((byte *)listBase + offset); if ((currentAttributeNumber == scannedEntry->AttributeNumber) && (currentAttributeType == scannedEntry->AttributeType)) { // The entry is a continuation of the previous one. Ignore it. It should // have been processed by a previous loop if required. continue; } currentAttributeNumber = scannedEntry->AttributeNumber; currentAttributeType = scannedEntry->AttributeType; if ((NtfsAttributeType.Any != searchedAttributeType) && (scannedEntry->AttributeType != searchedAttributeType)) { // This entry doesn't match the search criteria on attribute type. continue; } EntryListReferencedAttributeHandlerDelegate attributeDataHandler; bool includeData; if (!listEntryHandler(scannedEntry, out attributeDataHandler, out includeData)) { // The callback doesn't wish to continue with other list entries. return; } if (null == attributeDataHandler) { // The callback doesn't wish to retrieve the attribute itself for the // currently scanned entry. continue; } // The last callback invocation decided it needs some data from the attribute // itself before deciding what to do. if (!HandleEntryReferencedAttribute(scannedEntry, listLength - offset, attributeDataHandler, includeData)) { return; } } } finally { if (null != listAttributeData) { listAttributeData.Dispose(); } } }
/// <summary></summary> /// <param name="attribute"></param> /// <returns></returns> /// <remarks>WARNING : This might seems counterintuitive to have this method at a class level instead /// of making it an instance one. This is because we absolutely don't want it to be invoked on an /// object reference that is subject to being moved in memory by the GC. Forsing the caller to provide /// a pointer makes her responsible for enforcing the pinning requirements.</remarks> internal static unsafe IPartitionClusterData GetData(NtfsResidentAttribute *attribute) { return(new ResidentData((byte *)attribute + attribute->ValueOffset, attribute->ValueLength)); }