dump.c

NTFS(NT文件系统) for Linux的一个实现源码

/*
 *  dump.c
 *  Output functions for the ntfs tools
 *
 *  Copyright (C) 1995-1997 Martin von L鰓is
 *  Copyright (C) 1997,1999 R間is Duchesne
 *  Copyright (c) 1999 Richard Russon
 *
 *  1999/04/05: Merged Security Descriptor dump code from Richard --red
 */

#include <errno.h>
#include "ntfstypes.h"
#include "struct.h"
#include "dump.h"
#include "config.h"

#include "util.h"
#include "nttools.h"
#include "inode.h"
#include "dir.h"
#include "support.h"
#include <stdio.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_IO_H
#include <io.h>
#endif
#include <ctype.h>
#include <stdlib.h>
#include "macros.h"

/* attribute names. Maybe this gets merged into ntfs_volume some day */
static char* attr_names=0;
static int attr_names_size;

/* Dump a block of memory starting at buf. Display length bytes. The displayed
   index of the first byte is start */
void dump_mem(unsigned char *buf, int start, int length)
{
	int offs,i;
	for(offs=0;offs<length;offs+=16)
	{
		printf("%8.8X ",start+offs);
		for(i=0;i<16;i++)printf("%2X ",buf[offs+i]);
		for(i=0;i<16;i++)
			if(buf[offs+i]>31 && buf[offs+i]<128)putchar(buf[offs+i]);
			else putchar('.');
		putchar('\n');
	}
}

	

/* dump from the raw volume, starting at position */
void dump(ntfs_volume *vol, ntfs_size_t position, int start, int length)
{
	int offset;
	ntfs_lseek(NTFS_FD(vol),position,SEEK_SET);
	for(offset=0;length==-1 || offset<length;offset+=16)
	{
		int i;
		unsigned char buf[16];
		if(read(NTFS_FD(vol),buf,16)!=16)
		{perror("read");return;}
		printf("%8.8X ",start+offset);
		for(i=0;i<16;i++)
			printf("%2X ",buf[i]);
		for(i=0;i<16;i++)
			if(buf[i]>31 && buf[i]<128)putchar(buf[i]);
			else putchar('.');
		putchar('\n');
	}
}

static void 
uniprintz(char *first)
{
	while(*first){
		putchar(*first++);
		if(*first++){
			printf("!!!!Error printing string\n");
			return;
		}
	}
}


/* Find a string on the volume, starting at position. If searching for Unicode
   strings, the string argument should already be Unicode */
#define BSIZE	32768
int grep(ntfs_volume *vol, ntfs_size_t position, int length,
	 unsigned char *string, int stringlen, int ignore_case)
{
	int offset;
	int b_offs;
	int i;
	unsigned char buf[2*BSIZE];

	if(ignore_case)
		for(i=0;string[i];i++)string[i]=tolower(string[i]);
	ntfs_lseek(NTFS_FD(vol),position,SEEK_SET);
	read(NTFS_FD(vol),buf,BSIZE);
	if(ignore_case)
		for(i=0;i<BSIZE;i++)buf[i]=tolower(buf[i]);
	for(offset=b_offs=0;length==-1 || offset<length;offset+=BSIZE)
	{
		if(read(NTFS_FD(vol),buf+BSIZE,BSIZE)!=BSIZE)
		{perror("read");return -1;}
		if(ignore_case)
			for(i=BSIZE;i<2*BSIZE;i++)buf[i]=tolower(buf[i]);
		for(;b_offs<BSIZE;b_offs++)
			if(buf[b_offs]==string[0])
			{
				for(i=0;i<stringlen;i++)
					if(buf[b_offs+i]!=string[i])
						break;
				if(i==stringlen)return position+offset+b_offs;
			}
		ntfs_memcpy(buf,buf+BSIZE,BSIZE);
		b_offs-=BSIZE;
	}
	return -1;
}

static int
print_attr_type(ntfs_volume* vol,int type)
{
	int offset,error;
	ntfs_u8 *buf=0;
	if(!attr_names){
		ntfs_attribute *data;
		ntfs_io io;
		ntfs_inode attrdef;
		error=ntfs_init_inode(&attrdef,vol,FILE_ATTRDEF);
		if(error)return error;
		offset=0;
		data=ntfs_find_attr(&attrdef,vol->at_data,NULL);
		if(!data){
			free(buf);
			return EINVAL;
		}
		buf=malloc(data->size);
		if(!buf)return ENOMEM;
		io.fn_put=ntfs_put;
		io.fn_get=ntfs_get;
		io.do_read=1;
		io.param=buf;
		io.size=4096;
		error=ntfs_readwrite_attr(&attrdef,data,offset,&io);
		if(error)return error;
		attr_names=buf;
		attr_names_size=data->size;
	}
	for(offset=0;offset<attr_names_size;offset+=0xA0)
		if(NTFS_GETU32(attr_names+offset+0x80)==type){
			uniprintz(attr_names+offset+2);
			break;
		}
	if(offset>=attr_names_size)
		printf("Unknown type");
	return 0;
}
			
/* print the attribute list for the MFT record at offset on the volume */
void list_attributes(ntfs_volume *vol, ntfs_size_t offset)
{
	char rec[4096];
	ntfs_lseek(NTFS_FD(vol),offset,SEEK_SET);
	if(read(NTFS_FD(vol),rec,sizeof(rec))!=sizeof(rec)){
		perror("read");
		return;
	}
	if(!ntfs_check_mft_record(vol,rec)){
		fprintf(stderr,"Not a mft record\n");
		return;
	}
	list_attr_mem(vol,rec);
}

/* dump the standard information attribute */
static void dump_standard_information(ntfs_u8 *start)
{
	printf("\tCreation time ");
	print_time(NTFS_GETU64(start));
	printf("\n\tModification time ");
	print_time(NTFS_GETU64(start + 0x8));
	printf("\n\tMFT Modification time ");
	print_time(NTFS_GETU64(start + 0x10));
	printf("\n\tAccess time ");
	print_time(NTFS_GETU64(start + 0x18));
	printf("\n");
}

/* dump the attribute list attribute */
static void dump_attribute_list(ntfs_u8 *start, ntfs_u8 *stop)
{
	while(start!=stop){
		printf("\tType %X,MFT# %X,Start VCN %X ",NTFS_GETU32(start),
		       NTFS_GETU32(start+0x10),NTFS_GETU32(start+0x8));
		uniprint(start+0x1A,NTFS_GETU8(start+0x6));
		start+=NTFS_GETU16(start+4);
		putchar('\n');
	}
}

static void print_name(ntfs_u8 *first)
{
        int length=*(unsigned char*)first++;
        switch(*first++)
        {
        case 0: printf("Posix-Name:");break;
        case 1: printf("Unicode-Name:");break;
        case 2: printf("DOS-Name:");break;
        case 3: printf("Unicode+DOS:");break;
        default:
                printf("Don't know how to read the name\n");
                return;
        }
        uniprint(first,length);
        puts("");
}

/* dump the filename attribute */
static void dump_filename(ntfs_u8 *start)
{
	printf("\t");
	print_name(start+0x40);
	printf("\tIndexed in 0x%X\n",NTFS_GETU32(start));
}

/* dump a sid */
long dump_sid (ntfs_u8 *sid)
{
	int revision;
	int sa_count;
	int i;
	ntfs_u64 ident_auth = 0;

	revision = *sid;			/* Should always be 1 */
	sid++;
	sa_count = *sid;			/* Number of Sub-authorities */
	sid++;

	for (i = 0; i < 6; i ++)
	{
		ident_auth <<= 8;
		ident_auth += *sid;
		sid++;
	}

	printf ("S-%d-%Lu", revision, ident_auth);

	for (i = 0; i < sa_count; i++)
	{
		printf ("-%u", *((ntfs_u32*) sid));
		sid += 4;
	}

	return 8 + (sa_count * 4);
}

void display_access_flags (ntfs_u8 flags)
{
	if (flags & 0x1) printf (" Obj inh ACE");
	if (flags & 0x2) printf (" Con inh ACE");
	if (flags & 0x4) printf (" No prop inh");
	if (flags & 0x8) printf (" Inh onlyACE");
}

void display_access_mask (ntfs_u32 mask)
{
	if ((mask & 0x00120089) == 0x00120089) printf ("R"); else printf (".");
	if ((mask & 0x00120116) == 0x00120116) printf ("W"); else printf (".");
	if ((mask & 0x001200a0) == 0x001200a0) printf ("X"); else printf (".");
	if ((mask & 0x00010000) == 0x00010000) printf ("D"); else printf (".");
	if ((mask & 0x00040000) == 0x00040000) printf ("P"); else printf (".");
	if ((mask & 0x00080000) == 0x00080000) printf ("O"); else printf (".");
}

void display_access_allowed_ace (ntfs_u8 *ace)
{
	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);
	ntfs_u8  flags = NTFS_GETU8  (ace + 1);

	display_access_mask (mask);
	display_access_flags (flags);
}

void display_access_denied_ace (ntfs_u8 *ace)
{
	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);
	ntfs_u8  flags = NTFS_GETU8  (ace + 1);

	display_access_mask (mask);
	display_access_flags (flags);
}

void display_system_audit_ace (ntfs_u8 *ace)
{
	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);
	ntfs_u8  flags = NTFS_GETU8  (ace + 1);

	display_access_mask (mask);

	if (flags & 0x80) printf (" Success ");
	if (flags & 0x40) printf (" Failure ");
}

long display_ace (ntfs_u8 *ace)
{
	ntfs_u8  type     = NTFS_GETU8  (ace);
	//ntfs_u8  flags    = NTFS_GETU8  (ace + 1);
	ntfs_u16 ace_size = NTFS_GETU16 (ace + 2);
	ntfs_u32 mask     = NTFS_GETU32 (ace + 4);
	long sid_size     = 0;

	switch (type)
	{
		case 0x00:
			printf ("\t\tAccess allowed: ");
			display_access_allowed_ace(ace);
			break;

		case 0x01:
			printf ("\t\tAccess denied:  ");
			display_access_denied_ace(ace);
			break;

		case 0x02:
			printf ("\t\tSystem audit:   ");
			display_system_audit_ace(ace);
			break;

		default:
			printf ("\t\tUnknown:        %#010x\n", mask);
			return ace_size;
	}

	printf (" ");
	sid_size = dump_sid (ace + 8);
	printf ("\n");

	if (sid_size != ace_size) {
		// I've seen this happen
	}

	return ace_size;
}

long display_acl (ntfs_u8 *acl, int len)
{
	//ntfs_u8  version  = NTFS_GETU8  (acl);
	//ntfs_u8  unknown1 = NTFS_GETU8  (acl + 1);
	ntfs_u32 acl_size = NTFS_GETU16 (acl + 2);
	ntfs_u32 num_aces = NTFS_GETU16 (acl + 4);
	//ntfs_u32 unknown2 = NTFS_GETU16 (acl + 6);

	long l;
	long size = 8;

	printf (" %d entr%s\n", num_aces, num_aces == 1 ? "y" : "ies");

	if (acl_size < len)
	{
		for (l = 0; l < num_aces; l++)
		{
			size += display_ace (acl + size);
		}
	}

	return size;
}

/* dump the security descriptor attribute */
static void dump_security_descriptor(ntfs_u8 *start, int len)
{
	//ntfs_u32 unknown       = NTFS_GETU32 (start);		// This looks like flags
	ntfs_u32 off_user      = NTFS_GETU32 (start + 0x4);	// user SID
	ntfs_u32 off_group     = NTFS_GETU32 (start + 0x8);	// group SID
	ntfs_u32 off_acl_audit = NTFS_GETU32 (start + 0xC);	// ACL containing audit info
	ntfs_u32 off_acl_perms = NTFS_GETU32 (start + 0x10);	// ACL containing permission info

	/* When the Audit ACL is missing, its offset is zeroed */
	if (off_acl_audit && off_acl_audit < len) {
		printf ("\tACL - Audit");
		display_acl (start + off_acl_audit, len);
	}
	if (off_acl_perms < len) {
		printf ("\tACL - Permissions");
		display_acl (start + off_acl_perms, len);
	}
	if (off_user < len) {
		printf ("\tUser:  ");
		dump_sid (start + off_user);
		printf ("\n");
	}
	if (off_group < len) {
		printf ("\tGroup: ");
		dump_sid (start + off_group);