def test_standard_information():
with open(ATTR_SI, 'rb') as f:
si_raw = f.read()
si = Attributes.StandardInformation(si_raw)
atime = si.get_atime()
mtime = si.get_mtime()
ctime = si.get_ctime()
etime = si.get_etime()
assert atime.year == 2004 and atime.month == 8 and atime.day == 26 and atime.hour == 15 and atime.minute == 11 and atime.second == 12 and atime.microsecond == 682956
assert mtime.year == 2004 and mtime.month == 8 and mtime.day == 20 and mtime.hour == 15 and mtime.minute == 9 and mtime.second == 2 and mtime.microsecond == 792578
assert ctime.year == 2004 and ctime.month == 8 and ctime.day == 20 and ctime.hour == 15 and ctime.minute == 9 and ctime.second == 2 and ctime.microsecond == 782564
assert etime.year == 2004 and etime.month == 8 and etime.day == 20 and etime.hour == 15 and etime.minute == 11 and etime.second == 35 and etime.microsecond == 422048
si = Attributes.StandardInformationPartial(si_raw, 0)
atime = si.get_atime()
mtime = si.get_mtime()
ctime = si.get_ctime()
etime = si.get_etime()
assert atime.year == 2004 and atime.month == 8 and atime.day == 26 and atime.hour == 15 and atime.minute == 11 and atime.second == 12 and atime.microsecond == 682956
assert mtime.year == 2004 and mtime.month == 8 and mtime.day == 20 and mtime.hour == 15 and mtime.minute == 9 and mtime.second == 2 and mtime.microsecond == 792578
assert ctime.year == 2004 and ctime.month == 8 and ctime.day == 20 and ctime.hour == 15 and ctime.minute == 9 and ctime.second == 2 and ctime.microsecond == 782564
assert etime.year == 2004 and etime.month == 8 and etime.day == 20 and etime.hour == 15 and etime.minute == 11 and etime.second == 35 and etime.microsecond == 422048
def test_object_id():
with open(ATTR_OBJID, 'rb') as f:
objid_raw = f.read()
objid = Attributes.ObjectID(objid_raw)
gtime = objid.get_timestamp()
assert gtime.year == 2004 and gtime.month == 8 and gtime.day == 20 and gtime.hour == 15 and gtime.minute == 5 and gtime.second == 9 and gtime.microsecond == 158068
assert str(objid.get_object_id()) == '53d29f0e-f2ba-11d8-b0f9-0010a4933e09'
assert len(objid.get_extra_data()) == 0
def test_different_la():
f = open(MFT_DIFFERENT_LA, 'rb')
c_1 = 0
c_2 = 0
mft = MFT.MasterFileTableParser(f)
for file_record in mft.file_records():
paths = mft.build_full_paths(file_record)
if len(paths) == 0:
continue
assert len(paths) == 1
path = paths[0]
if path == '/ts_la/test_la.txt':
for attr in file_record.attributes():
attr_value = attr.value_decoded()
if type(attr_value) is not Attributes.StandardInformation:
continue
c_1 += 1
ts_m_1 = attr_value.get_mtime()
ts_a_1 = attr_value.get_atime()
ts_c_1 = attr_value.get_ctime()
ts_e_1 = attr_value.get_etime()
elif path == '/ts_la':
for attr in file_record.attributes():
attr_value = attr.value_decoded()
if type(attr_value) is not Attributes.IndexRoot:
continue
for index_entry in attr_value.index_entries():
attr_value = Attributes.FileName(
index_entry.get_attribute())
c_2 += 1
ts_m_2 = attr_value.get_mtime()
ts_a_2 = attr_value.get_atime()
ts_c_2 = attr_value.get_ctime()
ts_e_2 = attr_value.get_etime()
assert c_1 == 1 and c_2 == 1
assert ts_m_1 == ts_m_2 and ts_c_1 == ts_c_2 and ts_e_1 == ts_e_2 and ts_a_1 != ts_a_2
assert ts_a_2 < ts_a_1
f.close()
def test_file_name():
with open(ATTR_FN, 'rb') as f:
fn_raw = f.read()
fn = Attributes.FileName(fn_raw)
assert fn.get_file_name() == 'sseriffr.fon'
atime = fn.get_atime()
mtime = fn.get_mtime()
ctime = fn.get_ctime()
etime = fn.get_etime()
assert ctime.year == 2004 and ctime.month == 8 and ctime.day == 19 and ctime.hour == 17 and ctime.minute == 1 and ctime.second == 3 and ctime.microsecond == 331068
assert mtime.year == 2001 and mtime.month == 8 and mtime.day == 23 and mtime.hour == 18 and mtime.minute == 0 and mtime.second == 0 and mtime.microsecond == 0
assert atime.year == 2004 and atime.month == 8 and atime.day == 19 and atime.hour == 17 and atime.minute == 1 and atime.second == 3 and atime.microsecond == 341082
assert etime == atime
def test_file_attributes():
s = Attributes.ResolveFileAttributes(0x200)
assert s == 'SPARSE'
s = Attributes.ResolveFileAttributes(0x201)
assert s == 'READ_ONLY | SPARSE'
s = Attributes.ResolveFileAttributes(0x2201)
assert s == 'READ_ONLY | SPARSE | NOT_CONTENT_INDEXED'
s = Attributes.ResolveFileAttributes(0x80201)
assert s == 'READ_ONLY | SPARSE'
s = Attributes.ResolveFileAttributes(0x80000)
assert s == ''
s = Attributes.ResolveFileAttributes(0x80004)
assert s == 'SYSTEM'
s = Attributes.ResolveFileAttributes(0)
assert s == ''
def test_usn_records():
with open(USN_1, 'rb') as f:
usn_raw = f.read()
usn = USN.GetUsnRecord(usn_raw)
assert type(usn) == USN.USN_RECORD_V2_OR_V3
assert usn.get_major_version() == 2
assert usn.get_file_name() == 'large_file.txt'
assert usn.get_usn() == 1170953448
assert usn.get_file_attributes() == 0x20
assert Attributes.ResolveFileAttributes(
usn.get_file_attributes()) == 'ARCHIVE'
assert usn.get_reason() == 0x80000001
assert USN.ResolveReasonCodes(
usn.get_reason()) == 'USN_REASON_DATA_OVERWRITE | USN_REASON_CLOSE'
assert usn.get_file_reference_number(
) == 0x0000000000000000000d000000013252
assert usn.get_parent_file_reference_number(
) == 0x000000000000000000060000000009eb
assert usn.get_source_info() == 0
assert usn.get_security_id() == 0
timestamp = usn.get_timestamp()
assert timestamp.year == 2019 and timestamp.month == 1 and timestamp.day == 21 and timestamp.hour == 22 and timestamp.minute == 36 and timestamp.second == 5 and timestamp.microsecond != 0
with open(USN_2, 'rb') as f:
usn_raw = f.read()
usn = USN.GetUsnRecord(usn_raw)
assert type(usn) == USN.USN_RECORD_V2_OR_V3
assert usn.get_major_version() == 2
assert usn.get_file_name() == 'mpasbase.vdm'
assert usn.get_usn() == 1170990440
assert usn.get_file_attributes() == 0x20
assert Attributes.ResolveFileAttributes(
usn.get_file_attributes()) == 'ARCHIVE'
assert usn.get_reason() == 0x80010800
assert USN.ResolveReasonCodes(
usn.get_reason()
) == 'USN_REASON_SECURITY_CHANGE | USN_REASON_HARD_LINK_CHANGE | USN_REASON_CLOSE'
assert usn.get_file_reference_number(
) == 0x00000000000000000002000000013424
assert usn.get_parent_file_reference_number(
) == 0x000000000000000000010000000006b7
assert usn.get_source_info() == 0
assert usn.get_security_id() == 0
timestamp = usn.get_timestamp()
assert timestamp.year == 2019 and timestamp.month == 1 and timestamp.day == 21 and timestamp.hour == 22 and timestamp.minute == 41 and timestamp.second == 17 and timestamp.microsecond != 0
with open(USN_3, 'rb') as f:
usn_raw = f.read()
usn = USN.GetUsnRecord(usn_raw)
assert type(usn) == USN.USN_RECORD_V4
assert usn.get_major_version() == 4
assert usn.get_usn() == 1170989584
assert usn.get_reason() == 0x80000102
assert USN.ResolveReasonCodes(usn.get_reason(
)) == 'USN_REASON_DATA_EXTEND | USN_REASON_FILE_CREATE | USN_REASON_CLOSE'
assert usn.get_file_reference_number(
) == 0x00000000000000000004000000013de8
assert usn.get_parent_file_reference_number(
) == 0x00000000000000000004000000001076
assert usn.get_source_info() == 0
assert usn.get_remaining_extents() == 0
assert usn.get_number_of_extents() == 1
c = 0
for offset, length in usn.extents():
c += 1
assert offset == 0
assert length == 2162688
assert c == 1
with open(USN_4, 'rb') as f:
usn_raw = f.read()
usn = USN.GetUsnRecord(usn_raw)
assert type(usn) == USN.USN_RECORD_V4
assert usn.get_major_version() == 4
assert usn.get_usn() == 1170955904
assert usn.get_reason() == 0x80000001
assert USN.ResolveReasonCodes(
usn.get_reason()) == 'USN_REASON_DATA_OVERWRITE | USN_REASON_CLOSE'
assert usn.get_file_reference_number(
) == 0x000000000000000000020000000051c0
assert usn.get_parent_file_reference_number(
) == 0x00000000000000000004000000001066
assert usn.get_source_info() == 0
assert usn.get_remaining_extents() == 0
assert usn.get_number_of_extents() == 2
c = 0
for offset, length in usn.extents():
c += 1
if c == 1:
assert offset == 0 and length == 16384
elif c == 2:
assert offset == 6242304 and length == 32768
assert c == 2
def test_lxxattr():
with pytest.raises(ValueError):
WSL.LXXATTR(b'\x00\x00')
with open(LXXATTR_WSL_1, 'rb') as f:
lxxattr_blob = f.read()
lxxattr = WSL.LXXATTR(lxxattr_blob)
xattr_list = []
for name, value in lxxattr.extended_attributes():
xattr_list.append((name, value))
xattr_list.remove((b'user.test', b'test_value'))
xattr_list.remove((b'user.another_test', b'another_value'))
assert len(xattr_list) == 0
with open(EA_WSL_1, 'rb') as f:
ea_blob = f.read()
ea = Attributes.EA(ea_blob)
c = 0
for name, flags, value in ea.data_parsed():
c += 1
assert flags == 0
if name == b'LXATTRB\x00':
lxattrb = WSL.LXATTRB(value)
chtime = lxattrb.get_chtime()
assert chtime.year == 2019 and chtime.month == 1 and chtime.day == 21
elif name == b'LXXATTR\x00':
lxxattr = WSL.LXXATTR(value)
xattr_list = []
for xname, xvalue in lxxattr.extended_attributes():
xattr_list.append((xname, xvalue))
xattr_list.remove((b'user.1', b'11'))
assert len(xattr_list) == 0
else:
assert False
assert c == 2
with open(EA_WSL_2, 'rb') as f:
ea_blob = f.read()
ea = Attributes.EA(ea_blob)
c = 0
for name, flags, value in ea.data_parsed():
c += 1
assert flags == 0
if name == b'LXATTRB\x00':
lxattrb = WSL.LXATTRB(value)
chtime = lxattrb.get_chtime()
assert chtime.year == 2019 and chtime.month == 1 and chtime.day == 21
elif name == b'LXXATTR\x00':
lxxattr = WSL.LXXATTR(value)
xattr_list = []
for xname, xvalue in lxxattr.extended_attributes():
xattr_list.append((xname, xvalue))
xattr_list.remove((b'user.1', b'11'))
xattr_list.remove((b'user.2', b'22'))
xattr_list.remove((b'user.3', b'33'))
assert len(xattr_list) == 0
else:
assert False
assert c == 2