-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNTFS.h
126 lines (124 loc) · 3.34 KB
/
NTFS.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#ifndef _NTFS_H_
#define _NTFS_H_
#include "Utility.h"
struct PBS {
BYTE sector[512];
unsigned char JumpInstruction[3];
string Name;
unsigned int BytePerSector;
unsigned int SectorPerCluster;
unsigned char MediaDescriptor;
unsigned int ReservedSectors;
unsigned int SectorsPerTrack;
unsigned int NumOfHead;
unsigned int HiddenSectors;
unsigned long long TotalSectors;
unsigned long long MFTStartCluster;
unsigned long long MFTMirrStartCluster;
unsigned int BytePerMFTEntry;
unsigned char ClustersPerIndexBuffer;
unsigned long long VolumeSerialNumber;
LPCWSTR Disk;
bool CheckNTFS();
void print_PBS();
void read_PBS(LPCWSTR disk);
};
enum NTFSAttribute {
READ_ONLY = 1 << 0,
HIDDEN = 1 << 1,
SYSTEM = 1 << 2,
VOLLABLE = 1 << 3,
DIRECTORY = 1 << 4,
ARCHIVE = 1 << 5,
DEVICE = 1 << 6,
NORMAL = 1 << 7,
TEMPORARY = 1 << 8,
SPARSE_FILE = 1 << 9,
REPARSE_POINT = 1 << 10,
COMPRESSED = 1 << 11,
OFFLINE = 1 << 12,
NOT_INDEXED = 1 << 13,
ENCRYPTED = 1 << 14
};
struct StandardInfoAttr {
int Flags;
char* CreateTime; // 0 - 7
char* LastModifiedTime; // 8 - 15
char* LastAccessTime; // 24 - 31
StandardInfoAttr();
void print();
};
struct FileNameAttr {
unsigned int Size; // filenamestart + 16 -> 4
unsigned int Offset; // filenamestart + 20 -> 2
unsigned int ParentMFTEntry; // filenamestart + offset -> 8
wchar_t* LongName; // offset + 66 -> Size - 66
FileNameAttr();
void print();
};
struct DataAttr {
bool Resident; // true -> resident , false -> non-resident
unsigned long long Size;
int typeText; // 1 -> utf16, 0 -> ascii
wchar_t* DataUTF16;
char* DataASCII;
vector<unsigned long long> Lengths;
vector<unsigned long long> Offsets;
DataAttr();
void print();
};
struct MFTEntry {
BYTE* RawData;
unsigned int FileId; // 0x2C->4
unsigned char Flag; // 0x16->1
unsigned int StandardInfoStart; // 0x14->2
unsigned long long StandardInfoSize; // infoStart + 4 -> 4
unsigned int FileNameStart; // infostart + infosize;
unsigned long long FileNameSize; // filenameStart + 4 -> 4
unsigned int DataStart; // filenamestart + filenamesize
unsigned int DataId;
StandardInfoAttr StandardInfo;
FileNameAttr FileName;
DataAttr Data;
vector<MFTEntry*> childs;
MFTEntry(BYTE* rawData);
bool IsDirectory();
bool IsLeaf();
bool IsActiveRecord();
void AnalyzeStandardInfo();
void AnalyzeFileName();
void AnalyzeData();
void printRecord();
void printTree(int depth = 1);
void printListChild();
};
struct MFTFile {
unsigned int InfoOffset;
unsigned int InfoLength;
unsigned int FileNameOffset;
unsigned int FileNameLength;
unsigned int DataOffset;
unsigned int DataLength;
unsigned long long NumSector;
MFTFile();
MFTFile(PBS* pbs);
};
struct NTFS {
PBS* pbs;
MFTFile mftFile;
vector<MFTEntry*> MFTEntrys;
int root;
int current;
unordered_map<int, MFTEntry*> dictionary;
void Init(LPCWSTR disk);
void printBootSector();
void printCurrentTree();
void printTXTFile();
void changeDirectory(int order);
void backParentDirectory();
void readFile();
void showListChild();
wstring showPath();
void Finish();
};
#endif