unsafe private static void EnumerateFiles(string volumeName, IntPtr pVolume, IntPtr medBuffer, Dictionary <ulong, USNRecord> files) { IntPtr pData = Marshal.AllocHGlobal(sizeof(UInt64) + 0x10000); PInvokeWin32.ZeroMemory(pData, sizeof(UInt64) + 0x10000); uint outBytesReturned = 0; while (false != PInvokeWin32.DeviceIoControl(pVolume, PInvokeWin32.FSCTL_ENUM_USN_DATA, medBuffer, sizeof(PInvokeWin32.MFT_ENUM_DATA), pData, sizeof(UInt64) + 0x10000, out outBytesReturned, IntPtr.Zero)) { IntPtr pUsnRecord = new IntPtr(pData.ToInt32() + sizeof(Int64)); while (outBytesReturned > 60) { PInvokeWin32.USN_RECORD usn = new PInvokeWin32.USN_RECORD(pUsnRecord); files.Add(usn.FRN, new USNRecord { Name = usn.FileName, ParentFrn = usn.ParentFRN, FRN = usn.FRN, IsFolder = usn.IsFolder, VolumeName = volumeName }); pUsnRecord = new IntPtr(pUsnRecord.ToInt32() + usn.RecordLength); outBytesReturned -= usn.RecordLength; } Marshal.WriteInt64(medBuffer, Marshal.ReadInt64(pData, 0)); } Marshal.FreeHGlobal(pData); }
unsafe internal static bool QueryUSNJournal(IntPtr pVolume, out PInvokeWin32.USN_JOURNAL_DATA ujd, out uint bytesReturned) { bool bOK = PInvokeWin32.DeviceIoControl( pVolume, PInvokeWin32.FSCTL_QUERY_USN_JOURNAL, IntPtr.Zero, 0, out ujd, sizeof(PInvokeWin32.USN_JOURNAL_DATA), out bytesReturned, IntPtr.Zero ); return(bOK); }
private static void AddVolumeRootRecord(string volumeName, Dictionary <ulong, USNRecord> files) { string rightVolumeName = string.Concat("\\\\.\\", volumeName); rightVolumeName = string.Concat(rightVolumeName, Path.DirectorySeparatorChar); IntPtr hRoot = PInvokeWin32.CreateFile(rightVolumeName, 0, PInvokeWin32.FILE_SHARE_READ | PInvokeWin32.FILE_SHARE_WRITE, IntPtr.Zero, PInvokeWin32.OPEN_EXISTING, PInvokeWin32.FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero); if (hRoot.ToInt32() != PInvokeWin32.INVALID_HANDLE_VALUE) { PInvokeWin32.BY_HANDLE_FILE_INFORMATION fi = new PInvokeWin32.BY_HANDLE_FILE_INFORMATION(); bool bRtn = PInvokeWin32.GetFileInformationByHandle(hRoot, out fi); if (bRtn) { UInt64 fileIndexHigh = (UInt64)fi.FileIndexHigh; UInt64 indexRoot = (fileIndexHigh << 32) | fi.FileIndexLow; files.Add(indexRoot, new USNRecord { FRN = indexRoot, Name = volumeName, ParentFrn = 0, IsVolumeRoot = true, IsFolder = true, VolumeName = volumeName }); } else { throw new IOException("GetFileInformationbyHandle() returned invalid handle", new Win32Exception(Marshal.GetLastWin32Error())); } PInvokeWin32.CloseHandle(hRoot); } else { throw new IOException("Unable to get root frn entry", new Win32Exception(Marshal.GetLastWin32Error())); } }
internal static IntPtr GetVolumeJournalHandle(string volumeName) { string vol = string.Concat("\\\\.\\", volumeName); IntPtr pVolume = PInvokeWin32.CreateFile(vol, PInvokeWin32.GENERIC_READ | PInvokeWin32.GENERIC_WRITE, PInvokeWin32.FILE_SHARE_READ | PInvokeWin32.FILE_SHARE_WRITE, IntPtr.Zero, PInvokeWin32.OPEN_EXISTING, 0, IntPtr.Zero); if (pVolume.ToInt32() == PInvokeWin32.INVALID_HANDLE_VALUE) { throw new IOException(string.Format("CreateFile(\"{0}\") returned invalid handle", volumeName), new Win32Exception(Marshal.GetLastWin32Error())); } else { return(pVolume); } }
private void MonitorThread(string volume, MFTSearcherCache db) { IntPtr pbuffer = Marshal.AllocHGlobal(0x1000); PInvokeWin32.READ_USN_JOURNAL_DATA rujd = SetupInputData4JournalRead(volume, 0xFFFFFFFF); UInt32 cbRead; IntPtr prujd; while (true) { prujd = Marshal.AllocHGlobal(Marshal.SizeOf(rujd)); PInvokeWin32.ZeroMemory(prujd, Marshal.SizeOf(rujd)); Marshal.StructureToPtr(rujd, prujd, true); IntPtr pVolume = MFTSearcher.GetVolumeJournalHandle(volume); bool fok = PInvokeWin32.DeviceIoControl(pVolume, PInvokeWin32.FSCTL_READ_USN_JOURNAL, prujd, Marshal.SizeOf(typeof(PInvokeWin32.READ_USN_JOURNAL_DATA)), pbuffer, 0x1000, out cbRead, IntPtr.Zero); IntPtr pRealData = new IntPtr(pbuffer.ToInt32() + Marshal.SizeOf(typeof(Int64))); uint offset = 0; if (fok) { while (offset + Marshal.SizeOf(typeof(Int64)) < cbRead) { PInvokeWin32.USN_RECORD usn = new PInvokeWin32.USN_RECORD(new IntPtr(pRealData.ToInt32() + (int)offset)); ProcessUSN(usn, volume, db); offset += usn.RecordLength; } } Marshal.FreeHGlobal(prujd); rujd.StartUsn = Marshal.ReadInt64(pbuffer); } }
private static void EnumerateVolume(string volumeName, Dictionary <ulong, USNRecord> files) { IntPtr medBuffer = IntPtr.Zero; IntPtr pVolume = IntPtr.Zero; try { AddVolumeRootRecord(volumeName, files); pVolume = GetVolumeJournalHandle(volumeName); EnableVomuleJournal(pVolume); SetupMFTEnumInBuffer(ref medBuffer, pVolume); EnumerateFiles(volumeName, pVolume, medBuffer, files); } catch (Exception e) { Console.WriteLine(e.Message, e); Exception innerException = e.InnerException; while (innerException != null) { Console.WriteLine(innerException.Message, innerException); innerException = innerException.InnerException; } throw new ApplicationException("Error in EnumerateVolume()", e); } finally { if (pVolume.ToInt32() != PInvokeWin32.INVALID_HANDLE_VALUE) { PInvokeWin32.CloseHandle(pVolume); if (medBuffer != IntPtr.Zero) { Marshal.FreeHGlobal(medBuffer); } } } }
unsafe private static void SetupMFTEnumInBuffer(ref IntPtr medBuffer, IntPtr pVolume) { uint bytesReturned = 0; PInvokeWin32.USN_JOURNAL_DATA ujd = new PInvokeWin32.USN_JOURNAL_DATA(); bool bOk = QueryUSNJournal(pVolume, out ujd, out bytesReturned); if (bOk) { PInvokeWin32.MFT_ENUM_DATA med; med.StartFileReferenceNumber = 0; med.LowUsn = 0; med.HighUsn = ujd.NextUsn; int sizeMftEnumData = Marshal.SizeOf(med); medBuffer = Marshal.AllocHGlobal(sizeMftEnumData); PInvokeWin32.ZeroMemory(medBuffer, sizeMftEnumData); Marshal.StructureToPtr(med, medBuffer, true); } else { throw new IOException("DeviceIoControl() returned false", new Win32Exception(Marshal.GetLastWin32Error())); } }
unsafe private static void EnableVomuleJournal(IntPtr pVolume) { UInt64 MaximumSize = 0x800000; UInt64 AllocationDelta = 0x100000; UInt32 cb; PInvokeWin32.CREATE_USN_JOURNAL_DATA cujd; cujd.MaximumSize = MaximumSize; cujd.AllocationDelta = AllocationDelta; int sizeCujd = Marshal.SizeOf(cujd); IntPtr cujdBuffer = Marshal.AllocHGlobal(sizeCujd); PInvokeWin32.ZeroMemory(cujdBuffer, sizeCujd); Marshal.StructureToPtr(cujd, cujdBuffer, true); bool fOk = PInvokeWin32.DeviceIoControl(pVolume, PInvokeWin32.FSCTL_CREATE_USN_JOURNAL, cujdBuffer, sizeCujd, IntPtr.Zero, 0, out cb, IntPtr.Zero); if (!fOk) { throw new IOException("DeviceIoControl() returned false", new Win32Exception(Marshal.GetLastWin32Error())); } }