📄 layout.h
字号:
* fields but the meaning as defined below has been verified to be
* correct by practical experimentation on Windows NT4 SP6a and is hence
* assumed to be the one and only correct interpretation.
*/
typedef struct {
/*hex ofs*/
/* 0*/ MFT_REF parent_directory; /* Directory this filename is
referenced from. */
/* 8*/ s64 creation_time; /* Time file was created. */
/* 10*/ s64 last_data_change_time; /* Time the data attribute was last
modified. */
/* 18*/ s64 last_mft_change_time; /* Time this mft record was last
modified. */
/* 20*/ s64 last_access_time; /* Last time this mft record was
accessed. */
/* 28*/ s64 allocated_size; /* Byte size of allocated space for the
data attribute. NOTE: Is a multiple
of the cluster size. */
/* 30*/ s64 data_size; /* Byte size of actual data in data
attribute. */
/* 38*/ FILE_ATTR_FLAGS file_attributes; /* Flags describing the file. */
/* 3c*/ union {
/* 3c*/ struct {
/* 3c*/ u16 packed_ea_size; /* Size of the buffer needed to
pack the extended attributes
(EAs), if such are present.*/
/* 3e*/ u16 reserved; /* Reserved for alignment. */
} __attribute__ ((__packed__)) ea;
/* 3c*/ struct {
/* 3c*/ u32 reparse_point_tag; /* Type of reparse point,
present only in reparse
points and only if there are
no EAs. */
} __attribute__ ((__packed__)) rp;
} __attribute__ ((__packed__)) type;
/* 40*/ u8 file_name_length; /* Length of file name in
(Unicode) characters. */
/* 41*/ FILE_NAME_TYPE_FLAGS file_name_type; /* Namespace of the file name.*/
/* 42*/ uchar_t file_name[0]; /* File name in Unicode. */
} __attribute__ ((__packed__)) FILE_NAME_ATTR;
/*
* GUID structures store globally unique identifiers (GUID). A GUID is a
* 128-bit value consisting of one group of eight hexadecimal digits, followed
* by three groups of four hexadecimal digits each, followed by one group of
* twelve hexadecimal digits. GUIDs are Microsoft's implementation of the
* distributed computing environment (DCE) universally unique identifier (UUID).
* Example of a GUID:
* 1F010768-5A73-BC91-0010A52216A7
*/
typedef struct {
u32 data1; /* The first eight hexadecimal digits of the GUID. */
u16 data2; /* The first group of four hexadecimal digits. */
u16 data3; /* The second group of four hexadecimal digits. */
u8 data4[8]; /* The first two bytes are the third group of four
hexadecimal digits. The remaining six bytes are the
final 12 hexadecimal digits. */
} __attribute__ ((__packed__)) GUID;
/*
* FILE_Extend/$ObjId contains an index named $O. This index contains all
* object_ids present on the volume as the index keys and the corresponding
* mft_record numbers as the index entry data parts. The data part (defined
* below) also contains three other object_ids:
* birth_volume_id - object_id of FILE_Volume on which the file was first
* created. Optional (i.e. can be zero).
* birth_object_id - object_id of file when it was first created. Usually
* equals the object_id. Optional (i.e. can be zero).
* domain_id - Reserved (always zero).
*/
typedef struct {
MFT_REF mft_reference; /* Mft record containing the object_id in
the index entry key. */
union {
struct {
GUID birth_volume_id;
GUID birth_object_id;
GUID domain_id;
} __attribute__ ((__packed__)) origin;
u8 extended_info[48];
} __attribute__ ((__packed__)) opt;
} __attribute__ ((__packed__)) OBJ_ID_INDEX_DATA;
/*
* Attribute: Object id (NTFS 3.0+) (0x40).
*
* NOTE: Always resident.
*/
typedef struct {
GUID object_id; /* Unique id assigned to the
file.*/
/* The following fields are optional. The attribute value size is 16
bytes, i.e. sizeof(GUID), if these are not present at all. Note,
the entries can be present but one or more (or all) can be zero
meaning that that particular value(s) is(are) not defined. */
union {
struct {
GUID birth_volume_id; /* Unique id of volume on which
the file was first created.*/
GUID birth_object_id; /* Unique id of file when it was
first created. */
GUID domain_id; /* Reserved, zero. */
} __attribute__ ((__packed__)) origin;
u8 extended_info[48];
} __attribute__ ((__packed__)) opt;
} __attribute__ ((__packed__)) OBJECT_ID_ATTR;
/*
* The pre-defined IDENTIFIER_AUTHORITIES used as SID_IDENTIFIER_AUTHORITY in
* the SID structure (see below).
*/
//typedef enum { /* SID string prefix. */
// SECURITY_NULL_SID_AUTHORITY = {0, 0, 0, 0, 0, 0}, /* S-1-0 */
// SECURITY_WORLD_SID_AUTHORITY = {0, 0, 0, 0, 0, 1}, /* S-1-1 */
// SECURITY_LOCAL_SID_AUTHORITY = {0, 0, 0, 0, 0, 2}, /* S-1-2 */
// SECURITY_CREATOR_SID_AUTHORITY = {0, 0, 0, 0, 0, 3}, /* S-1-3 */
// SECURITY_NON_UNIQUE_AUTHORITY = {0, 0, 0, 0, 0, 4}, /* S-1-4 */
// SECURITY_NT_SID_AUTHORITY = {0, 0, 0, 0, 0, 5}, /* S-1-5 */
//} IDENTIFIER_AUTHORITIES;
/*
* These relative identifiers (RIDs) are used with the above identifier
* authorities to make up universal well-known SIDs.
*
* Note: The relative identifier (RID) refers to the portion of a SID, which
* identifies a user or group in relation to the authority that issued the SID.
* For example, the universal well-known SID Creator Owner ID (S-1-3-0) is
* made up of the identifier authority SECURITY_CREATOR_SID_AUTHORITY (3) and
* the relative identifier SECURITY_CREATOR_OWNER_RID (0).
*/
typedef enum { /* Identifier authority. */
SECURITY_NULL_RID = 0, /* S-1-0 */
SECURITY_WORLD_RID = 0, /* S-1-1 */
SECURITY_LOCAL_RID = 0, /* S-1-2 */
SECURITY_CREATOR_OWNER_RID = 0, /* S-1-3 */
SECURITY_CREATOR_GROUP_RID = 1, /* S-1-3 */
SECURITY_CREATOR_OWNER_SERVER_RID = 2, /* S-1-3 */
SECURITY_CREATOR_GROUP_SERVER_RID = 3, /* S-1-3 */
SECURITY_DIALUP_RID = 1,
SECURITY_NETWORK_RID = 2,
SECURITY_BATCH_RID = 3,
SECURITY_INTERACTIVE_RID = 4,
SECURITY_SERVICE_RID = 6,
SECURITY_ANONYMOUS_LOGON_RID = 7,
SECURITY_PROXY_RID = 8,
SECURITY_ENTERPRISE_CONTROLLERS_RID=9,
SECURITY_SERVER_LOGON_RID = 9,
SECURITY_PRINCIPAL_SELF_RID = 0xa,
SECURITY_AUTHENTICATED_USER_RID = 0xb,
SECURITY_RESTRICTED_CODE_RID = 0xc,
SECURITY_TERMINAL_SERVER_RID = 0xd,
SECURITY_LOGON_IDS_RID = 5,
SECURITY_LOGON_IDS_RID_COUNT = 3,
SECURITY_LOCAL_SYSTEM_RID = 0x12,
SECURITY_NT_NON_UNIQUE = 0x15,
SECURITY_BUILTIN_DOMAIN_RID = 0x20,
/*
* Well-known domain relative sub-authority values (RIDs).
*/
/* Users. */
DOMAIN_USER_RID_ADMIN = 0x1f4,
DOMAIN_USER_RID_GUEST = 0x1f5,
DOMAIN_USER_RID_KRBTGT = 0x1f6,
/* Groups. */
DOMAIN_GROUP_RID_ADMINS = 0x200,
DOMAIN_GROUP_RID_USERS = 0x201,
DOMAIN_GROUP_RID_GUESTS = 0x202,
DOMAIN_GROUP_RID_COMPUTERS = 0x203,
DOMAIN_GROUP_RID_CONTROLLERS = 0x204,
DOMAIN_GROUP_RID_CERT_ADMINS = 0x205,
DOMAIN_GROUP_RID_SCHEMA_ADMINS = 0x206,
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS= 0x207,
DOMAIN_GROUP_RID_POLICY_ADMINS = 0x208,
/* Aliases. */
DOMAIN_ALIAS_RID_ADMINS = 0x220,
DOMAIN_ALIAS_RID_USERS = 0x221,
DOMAIN_ALIAS_RID_GUESTS = 0x222,
DOMAIN_ALIAS_RID_POWER_USERS = 0x223,
DOMAIN_ALIAS_RID_ACCOUNT_OPS = 0x224,
DOMAIN_ALIAS_RID_SYSTEM_OPS = 0x225,
DOMAIN_ALIAS_RID_PRINT_OPS = 0x226,
DOMAIN_ALIAS_RID_BACKUP_OPS = 0x227,
DOMAIN_ALIAS_RID_REPLICATOR = 0x228,
DOMAIN_ALIAS_RID_RAS_SERVERS = 0x229,
DOMAIN_ALIAS_RID_PREW2KCOMPACCESS = 0x22a,
} RELATIVE_IDENTIFIERS;
/*
* The universal well-known SIDs:
*
* NULL_SID S-1-0-0
* WORLD_SID S-1-1-0
* LOCAL_SID S-1-2-0
* CREATOR_OWNER_SID S-1-3-0
* CREATOR_GROUP_SID S-1-3-1
* CREATOR_OWNER_SERVER_SID S-1-3-2
* CREATOR_GROUP_SERVER_SID S-1-3-3
*
* (Non-unique IDs) S-1-4
*
* NT well-known SIDs:
*
* NT_AUTHORITY_SID S-1-5
* DIALUP_SID S-1-5-1
*
* NETWORD_SID S-1-5-2
* BATCH_SID S-1-5-3
* INTERACTIVE_SID S-1-5-4
* SERVICE_SID S-1-5-6
* ANONYMOUS_LOGON_SID S-1-5-7 (aka null logon session)
* PROXY_SID S-1-5-8
* SERVER_LOGON_SID S-1-5-9 (aka domain controller account)
* SELF_SID S-1-5-10 (self RID)
* AUTHENTICATED_USER_SID S-1-5-11
* RESTRICTED_CODE_SID S-1-5-12 (running restricted code)
* TERMINAL_SERVER_SID S-1-5-13 (running on terminal server)
*
* (Logon IDs) S-1-5-5-X-Y
*
* (NT non-unique IDs) S-1-5-0x15-...
*
* (Built-in domain) S-1-5-0x20
*/
/*
* The SID_IDENTIFIER_AUTHORITY is a 48-bit value used in the SID structure.
*/
typedef union {
struct {
u32 low; /* Low 32-bits. */
u16 high; /* High 16-bits. */
} __attribute__ ((__packed__)) parts;
u8 value[6]; /* Value as individual bytes. */
} __attribute__ ((__packed__)) SID_IDENTIFIER_AUTHORITY;
/*
* The SID structure is a variable-length structure used to uniquely identify
* users or groups. SID stands for security identifier.
*
* The standard textual representation of the SID is of the form:
* S-R-I-S-S...
* Where:
* - The first "S" is the literal character 'S' identifying the following
* digits as a SID.
* - R is the revision level of the SID expressed as a sequence of digits
* either in decimal or hexadecimal (if the later, prefixed by "0x").
* - I is the 48-bit identifier_authority, expressed as digits as R above.
* - S... is one or more sub_authority values, expressed as digits as above.
*
* Example SID; the domain-relative SID of the local Administrators group on
* Windows NT/2k:
* S-1-5-32-544
* This translates to a SID with:
* revision = 1,
* sub_authority_count = 2,
* identifier_authority = {0,0,0,0,0,5}, // SECURITY_NT_AUTHORITY
* sub_authority[0] = 32, // SECURITY_BUILTIN_DOMAIN_RID
* sub_authority[1] = 544 // DOMAIN_ALIAS_RID_ADMINS
*/
typedef struct {
u8 revision;
u8 sub_authority_count;
SID_IDENTIFIER_AUTHORITY identifier_authority;
u32 sub_authority[1]; /* At least one sub_authority. */
} __attribute__ ((__packed__)) SID;
/*
* Current constants for SIDs.
*/
typedef enum {
SID_REVISION = 1, /* Current revision level. */
SID_MAX_SUB_AUTHORITIES = 15, /* Maximum number of those. */
SID_RECOMMENDED_SUB_AUTHORITIES = 1, /* Will change to around 6 in
a future revision. */
} SID_CONSTANTS;
/*
* The predefined ACE types (8-bit, see below).
*/
typedef enum {
ACCESS_MIN_MS_ACE_TYPE = 0,
ACCESS_ALLOWED_ACE_TYPE = 0,
ACCESS_DENIED_ACE_TYPE = 1,
SYSTEM_AUDIT_ACE_TYPE = 2,
SYSTEM_ALARM_ACE_TYPE = 3, /* Not implemented as of Win2k. */
ACCESS_MAX_MS_V2_ACE_TYPE = 3,
ACCESS_ALLOWED_COMPOUND_ACE_TYPE= 4,
ACCESS_MAX_MS_V3_ACE_TYPE = 4,
/* The following are Win2k only. */
ACCESS_MIN_MS_OBJECT_ACE_TYPE = 5,
ACCESS_ALLOWED_OBJECT_ACE_TYPE = 5,
ACCESS_DENIED_OBJECT_ACE_TYPE = 6,
SYSTEM_AUDIT_OBJECT_ACE_TYPE = 7,
SYSTEM_ALARM_OBJECT_ACE_TYPE = 8,
ACCESS_MAX_MS_OBJECT_ACE_TYPE = 8,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -