ntfs.hpp

命令行方式的硬盘工具 可以在dos和nt下运行。 需要djgpp和vs7.0以上

#ifndef _NTFS_H
#define _NTFS_H

#ifndef _INT13_H
#include "int13.hpp"
#endif

using namespace SLib;
/*ntfs.h*/
/*winioctl.h FSCTL_GEET_NTFS_FILE_RECORD DeviceIoControl(inputBuffer ->NTFS_FILE_RECORD_INPPUT_BUFFER,
OutputBuffer ->NTFS_FILE_RECORD_OUTPUT_BUFFER and FILE_RECORDER
*/


/*特殊文件
\$MFT 
\$MFTMirr
\$LogFile
\$Volume
\$AttrDef
\$ //目录
\$Bitmap
\$Boot
\$BadClus
\$Secure
\$UpCase
\$Extend

*/

//#pragma pack(push)
#pragma pack(1)

#ifndef _WIN32
typedef struct tagNTFS_FILE_RECORD_INPUT_BUFFER
{
	ULONGLONG FilereferenceNumber;
}NTFS_FILE_RECORD_INPUT_BUFFER,*PNTFS_FILE_RECORD_INPUT_BUFFER;

typedef struct tagNTFS_FILE_RECORD_OUTPUT_BUFFER
{
	ULONGLONG FileReferenceNumber;
	ULONG FileRecordlength;
	UCHAR FileRecordBuffer[1];
}NTFS_FILE_RECORD_OUTPUT_BUFFER,*PNTFS_FILE_RECORD_OUTPUT_BUFFER;

#endif //!_WIN32
typedef struct tagNTFS_RECORD_HEADER
{
	ULONG Type;		//'FILE','INDX','BAAD','HOLE','CHKD'
	USHORT UsaOffset;
	USHORT UsaCount;
	USN Usn;
}NTFS_RECORD_HEADER,*PNTFS_RECORD_HEADER;

typedef struct tagFILE_RECORD_HEADER
{
	NTFS_RECORD_HEADER Ntfs;
	USHORT SequenceNumber;
	USHORT LinkCount;
	USHORT AttributesOffset;
	USHORT Flags;		//InUse 0x1,Directory 0x2
	ULONG BytesInUse;
	ULONG BytesAllcoated;
	ULONGLONG BaseFileRecord;
	USHORT NextAttributeNumber;
}FILE_RECORD_HEADER,*PFILE_RECORD_HEADER;

/*
MFT 中的一个项由FILE_RECORD_HEADER后跟一个属性序列组成
*/

typedef enum tagATTRIBUTE_TYPE
{
	AttributeStandardInformation=0x10,
	AttributeAttributeList=0x20,
	AttributeFileName=0x30,
	AttributeObjectId=0x40,
	AttributeSecurityDescriptor=0x50,
	AttributeVolumeName=0x60,
	AttributeVolumeInformation=0x70,
	AttributeData=0x80,
	AttributeIndexRoot=0x90,
	AttributeIndexAllocation=0xa0,
	AttributeBitmap=0xb0,
	AttributeReparesPoint=0xc0,
	AttributeEAInformation=0xd0,
	AttributeEA=0x0e0,
	AttributepropertySet=0x0f0,
	AttributeLoggedUtilityStream=0x100
}ATTRIBUTE_TYPE,*PATTRIBUTE_TYPE;

typedef struct tagATTRIBUTE
{
	ATTRIBUTE_TYPE AttributeType;
	ULONG Length;
	BOOLEAN Nonresident;
	UCHAR NameLength;
	USHORT NameOffset;
	USHORT Flags;		//compressed = 0x1
	USHORT AttributeNumber;
}ATTRIBUTE,*PATTRIBUTE;


typedef struct tagRESIDENT_ATTRIBUTE
{
	ATTRIBUTE Attribute;
	ULONG ValueLength;
	USHORT ValueOffset;
	USHORT Flags;		//0X1=Indexed
}RESIDENT_ATTRIBUTE,*PRESIDENT_ATTRIBUTE;

typedef struct tagnonresident_attribute
{
	ATTRIBUTE Attribute;
	ULONGLONG LowVcn;
	ULONGLONG HighVcn;
	USHORT RunArrayOffset;
	UCHAR CompressionUnit;			//单位：族数以2为底的对数
	UCHAR AlignmentOrReserved[5];
	ULONGLONG AllocatedSize;
	ULONGLONG DataSize;
	ULONGLONG InitializedSize;
	ULONGLONG CompressedSize;
}NONRESIDENT_ATTRIBUTE,*PNONRESIDENT_ATTRIBUTE;

typedef struct tagSTANDARD_INFORMATION
{
	ULONGLONG CreationTime;		//Time 是自从1601年1月1日以来100纳秒的时间间隔数
	ULONGLONG ChangeTime;
	ULONGLONG LastWriteTime;
	ULONGLONG LastAccessTime;
	ULONG FileAtributes;
	ULONG AlignmentOrReservedOrUnknown[3];
	ULONG Quotaid;		//ntfs 3.0 only
	ULONG SecurityId;		//ntfs 3.0 only
	ULONGLONG QuotaCharge;		//ntfs 3.0 only
	USN Usn;		//ntfs 3.0 only
}STANDARD_INFORMATION,*PSTANDARD_INFORMATION;

/*文件的属性包括
FILE_ATTRIBUTE_READONLY
FILE_ATTRIBUTE_HIDDEN
FILE_ATTRIBUTE_SYSTEM
FILE_ATTRIBUTE_DIRECTORY
FILE_ATTRIBUTE_ARCHIVE
FILE_ATTRIBUTE_NORMAL
FILE_ATTRIBUTE_TEMPORARY
FILE_ATTRIBUTE_REPARSE_POINT
FILE_ATTRIBUTE_COMPRESSED
FILE_ATTRIBUTE_OFFLINE
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
FILE_ATTRIBUTE_ENCRYPTED
*/

typedef struct tagATTRIBUTE_LIST
{
	ATTRIBUTE_TYPE AttributeType;
	USHORT Length;
	UCHAR NameLength;
	UCHAR NameOffset;
	ULONGLONG LowVcn;
	ULONGLONG FileReferenceNumber;
	USHORT ttributenumber;
	USHORT AlignmentOrReserved[3];
}ATTRIBUTE_LIST,*PATTRIBUTE_LIST;

typedef struct tagFILENAME_ATTRIBUTE
{
	ULONGLONG DirectoryFileReferenceNumber;
	ULONGLONG CreationTime;
	ULONGLONG ChangeTime;
	ULONGLONG LastWriteTime;
	ULONGLONG LastAccessTime;
	ULONGLONG AllocatedSize;
	ULONGLONG DataSize;
	ULONG FileAtributes;
	ULONG AlignmentOrReserved;
	UCHAR NameLength;
	UCHAR NameType;		//0x1=Long,0x2=Short
	WCHAR Name[1];
}FILENAME_ATTRIBUTE,*PFILENAME_ATTRIBUTE;

typedef struct tagOBJECTID_ATTRIBUTE
{
	GUID ObjectId;
	union
	{
		struct
		{
			GUID BirthVolumeId;
			GUID BirthObjectId;
			GUID DomainId;
		};
		UCHAR ExtendedInfo[48];
	};
}OBJECTID_ATTRIBUTE,*POBJECTID_ATTRIBUTE;

typedef struct tagVOLUME_INFORMATION
{
	ULONG Unknown[2];
	UCHAR MajorVersion;
	UCHAR MinorVersion;
	USHORT Flags;		//VolumeIsDirty 0x1
}VOLUME_INFORMATION,*PVOLUME_INFORMATION;

typedef struct tagDIRECTORY_INDEX
{
	ULONG EntriesOffset;
	ULONG IndexblockLength;
	ULONG AllocatedSize;
	ULONG Flags;		//0x0 =Small directory,0x1=Large directory
}DIRECTORY_INDEX,*PDIRECTORY_INDEX;

typedef struct tagINDEX_ROOT
{
	ATTRIBUTE_TYPE Type;		
	ULONG CollationRule;
	ULONG BytesperIndexBlock;
	ULONG ClustersPerIndexBlock;
	DIRECTORY_INDEX DirectoryIndex;
}INDEX_ROOT,*PINDEX_ROOT;

typedef struct tagINDEX_BLOCK_HEADER
{
	NTFS_RECORD_HEADER Ntfs;
	ULONGLONG IndexBlockVcn;
	DIRECTORY_INDEX DirectoryIndex;
}INDEX_BLOCK_HEADER,*PINDEX_BLOCK_HEADER;


typedef struct tagDIRECTORY_ENTRY
{
	ULONGLONG FileReferenceNumber;
	USHORT Length;
	USHORT Attributelength;
	ULONG Flags;		//0X1=has trailing vcn,0x2=last entry
	// FILENAME_ATTRIBUTE Name;
	//ULONGLONG Vcn;
}DIRECTORY_ENTRY,*PDIRECTORY_ENTRY;

typedef struct tagREPARSE_POINT
{
	ULONG ReparseTag;
	USHORT ReparseDataLength;
	USHORT Reserved;
	UCHAR ReparseData[1];
}REPARSE_POINT,*PREPARSE_POINT;

typedef struct tagEZ_INFORMATION
{
	ULONG EaLength;
	ULONG EaQueryLength;
}EZ_INFORMATION,*PEZ_INFORMATION;

typedef struct tagEA_ATTRIBUTE
{
	ULONG NextEntryOffset;
	UCHAR Flags;
	UCHAR EaNameLength;
	USHORT EaValuelength;
	CHAR EaName[1];
	//UCHAR eAdATA[];
}EA_ATTRIBUTE,*PEA_ATTRIBUTE;
/* NTFS BPB	 on MSDN 
WORD BytesPerSector; 
BYTE SectorsPerCluster;
WORD ReservedSectors ;
BYTE always0_1[3]; 
WORD NotusedbyNTFS1;
BYTE MediaDescriptor; 
WORD always0_2; 
WORD SectorsPerTrack ;
WORD NumberOfHeads; 
DWORD HiddenSectors; 
DWORD NotusedbyNTFS2; 
DWORD NotusedbyNTFS3; 
LONGLONG TotalSectors; 
LONGLONG LogicalClusterNumberforMFT ;
LONGLONG LogicalClusterNumberMFTMirr; 
DWORD ClustersPerFileRecordSegment ;
DWORD ClustersPerIndexBlock ;
LONGLONG VolumeSerialNumber; 
DWORD Checksum ;
*/
typedef struct tagBOOT_BLOCK
{
	UCHAR Jump[3];
	UCHAR Format[8];
	USHORT BytesPerSector;
	UCHAR SectorsPerCluster;
	USHORT BootSectors;
	UCHAR Mbz1;					//无效
	USHORT Mbz2;				//无效
	USHORT Reserved1;			//无效
	UCHAR MediaType;
	USHORT Mbz3;				//无效
	USHORT SectorsPerTrack;
	USHORT NmberOfheads;
	ULONG PartitionOffset;
//	WORD	dwHideSector;		//new
	DWORD	dwMbzTotalSectors;		//new =0000
	DWORD	 Mbz4;				//无效=08000800
	DWORD64	TotalSectors;			//以264个扇区编址
	ULONGLONG MftStartLcn;
	ULONGLONG Mft2StartLcn;
	ULONG ClustersPerFileRecord;	//
	ULONG ClustersPerIndexBlock;	//8
	ULONGLONG VolumeSerialNumber;	//4校验和
	DWORD dwCheckSum;			//4校验和

	UCHAR Code[426];
	USHORT BootSignature;
}BOOT_BLOCK,*PBOOT_BLOCK;

//#pragma pack(pop)

class CNtfs
{
protected:
	DWORD64 m_BootBlockPos;
	CInt13					*m_pInt13;
	CSError					*m_pError;
	ULONG					BytesPerFileRecord;
	BOOT_BLOCK				m_BootB;
	PFILE_RECORD_HEADER		MFT;

	inline BOOL ReadSector(ULONGLONG sector,ULONG count,PVOID buffer);
	inline BOOL WriteSector(ULONGLONG sector,ULONG count,PVOID buffer);
	inline BOOL BitSet(PUCHAR bitmap,ULONG i);

	template <class T1,class T2 >inline
		T1*Padd(T1*p,T2 n){return (T1 *)((char *)p+n);}

public:
	CNtfs(	CInt13 *pInt13,CSError *perror);
	virtual ~CNtfs(void);
	BOOL LoadBootBlock(DWORD64 bootBlockSector);
#ifdef _WIN32

	BOOL FindRun(PNONRESIDENT_ATTRIBUTE attr,ULONGLONG vcn,PULONGLONG lcn,PULONGLONG count);
	PATTRIBUTE FindAttribute(PFILE_RECORD_HEADER file,ATTRIBUTE_TYPE type,PWSTR name);
	VOID FixupUpdateSequenceArray(PFILE_RECORD_HEADER file);
	VOID ReadLCN (ULONGLONG lcn,ULONG count,PVOID buffer);
	VOID ReadExternalAttribute(PNONRESIDENT_ATTRIBUTE attr,ULONGLONG vcn,ULONG count,PVOID buffer);
	ULONG AttributeLength(PATTRIBUTE attr);
	ULONG AttributeLengthAllocated(PATTRIBUTE attr);
	VOID ReadAttribute(PATTRIBUTE attr,PVOID buffer);
	VOID ReadVCN(PFILE_RECORD_HEADER file,ATTRIBUTE_TYPE type,ULONGLONG vcn ,ULONG count,PVOID buffer);
	VOID ReadFileRecord(ULONG index,PFILE_RECORD_HEADER file);
	BOOL LoadMFT(DWORD64 bootBlockSector);
	VOID FindDeleted();
	VOID DumpData(ULONG index,PCSTR filename);

	ULONG RunLength(PUCHAR run);
	LONGLONG RunLCN(PUCHAR run);
	ULONGLONG RunCount(PUCHAR run);
//#ifdef _WIN32
	void DecompressFile(IN tstring compressFile,OUT tstring decompressFile);
#endif //#ifdef _WIN32
	/*

	This function has no associated import library. This function is available as a resource named SystemFunction041 in Advapi32.dll. 
	You must use the LoadLibrary and GetProcAddress functions to dynamically link to Advapi32.dll.
	NTSTATUS RtlDecryptMemory(
	PVOID Memory,
	ULONG MemoryLength,
	ULONG OptionFlags
	);


	This function has no associated import library. This function is available as a resource named SystemFunction040 in Advapi32.dll. 
	You must use the LoadLibrary and GetProcAddress functions to dynamically link to Advapi32.dll.
	NTSTATUS RtlEncryptMemory(
	PVOID Memory,
	ULONG MemoryLength,
	ULONG OptionFlags
	);

	Ntsecapi.h.
	*/


	tstring BootBToString(void);
};



#endif //_NTFS_H