Python WindowsTime Beispiele

Beispiel #1

Datei: mft.py Projekt: ghostRider1124/analyzeMFT

def decodeFNAttribute(s, localtz, record):

    hexFlag = False
    # File name attributes can have null dates.

    d = {}
    d['par_ref'] = struct.unpack(
        "<Lxx", s[:6]
    )[0]  # Parent reference nummber + seq number = 8 byte "File reference to the parent directory."
    d['par_seq'] = struct.unpack("<H", s[6:8])[0]  # Parent sequence number
    d['crtime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[8:12])[0],
        struct.unpack("<L", s[12:16])[0], localtz)
    d['mtime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[16:20])[0],
        struct.unpack("<L", s[20:24])[0], localtz)
    d['ctime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[24:28])[0],
        struct.unpack("<L", s[28:32])[0], localtz)
    d['atime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[32:36])[0],
        struct.unpack("<L", s[36:40])[0], localtz)
    d['alloc_fsize'] = struct.unpack("<q", s[40:48])[0]
    d['real_fsize'] = struct.unpack("<q", s[48:56])[0]
    d['flags'] = struct.unpack("<d", s[56:64])[0]  # 0x01=NTFS, 0x02=DOS
    d['nlen'] = struct.unpack("B", s[64])[0]
    d['nspace'] = struct.unpack("B", s[65])[0]

    bytes = s[66:66 + d['nlen'] * 2]
    try:
        d['name'] = bytes.decode('utf-16').encode('utf-8')
    except:
        d['name'] = 'UnableToDecodeFilename'

    return d

Beispiel #2

Datei: mft.py Projekt: ghostRider1124/analyzeMFT

def decodeSIAttribute(s, localtz):

    d = {}
    d['crtime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[:4])[0],
        struct.unpack("<L", s[4:8])[0], localtz)
    d['mtime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[8:12])[0],
        struct.unpack("<L", s[12:16])[0], localtz)
    d['ctime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[16:20])[0],
        struct.unpack("<L", s[20:24])[0], localtz)
    d['atime'] = mftutils.WindowsTime(
        struct.unpack("<L", s[24:28])[0],
        struct.unpack("<L", s[28:32])[0], localtz)
    d['dos'] = struct.unpack("<I", s[32:36])[0]  # 4
    d['maxver'] = struct.unpack("<I", s[36:40])[0]  # 4
    d['ver'] = struct.unpack("<I", s[40:44])[0]  # 4
    d['class_id'] = struct.unpack("<I", s[44:48])[0]  # 4
    d['own_id'] = struct.unpack("<I", s[48:52])[0]  # 4
    d['sec_id'] = struct.unpack("<I", s[52:56])[0]  # 4
    d['quota'] = struct.unpack("<d", s[56:64])[0]  # 8
    d['usn'] = struct.unpack("<d",
                             s[64:72])[0]  # 8 - end of date to here is 40

    return d

Beispiel #3

Datei: mft.py Projekt: NickKarras/analyzeMFT

def decode_si_attribute(s, localtz):
    d = {
        'crtime': mftutils.WindowsTime(struct.unpack("<L", s[:4])[0], struct.unpack("<L", s[4:8])[0], localtz),
        'mtime': mftutils.WindowsTime(struct.unpack("<L", s[8:12])[0], struct.unpack("<L", s[12:16])[0], localtz),
        'ctime': mftutils.WindowsTime(struct.unpack("<L", s[16:20])[0], struct.unpack("<L", s[20:24])[0], localtz),
        'atime': mftutils.WindowsTime(struct.unpack("<L", s[24:28])[0], struct.unpack("<L", s[28:32])[0], localtz),
        'dos': struct.unpack("<I", s[32:36])[0], 'maxver': struct.unpack("<I", s[36:40])[0],
        'ver': struct.unpack("<I", s[40:44])[0], 'class_id': struct.unpack("<I", s[44:48])[0],
        'own_id': struct.unpack("<I", s[48:52])[0], 'sec_id': struct.unpack("<I", s[52:56])[0],
        'quota': struct.unpack("<d", s[56:64])[0], 'usn': struct.unpack("<d", s[64:72])[0],
    }

    return d

Beispiel #4

def decode_fn_attribute(s, localtz, _):
    # File name attributes can have null dates.

    d = {
        'par_ref':
        struct.unpack("<Lxx", s[:6])[0],
        'par_seq':
        struct.unpack("<H", s[6:8])[0],
        'crtime':
        mftutils.WindowsTime(
            struct.unpack("<L", s[8:12])[0],
            struct.unpack("<L", s[12:16])[0], localtz),
        'mtime':
        mftutils.WindowsTime(
            struct.unpack("<L", s[16:20])[0],
            struct.unpack("<L", s[20:24])[0], localtz),
        'ctime':
        mftutils.WindowsTime(
            struct.unpack("<L", s[24:28])[0],
            struct.unpack("<L", s[28:32])[0], localtz),
        'atime':
        mftutils.WindowsTime(
            struct.unpack("<L", s[32:36])[0],
            struct.unpack("<L", s[36:40])[0], localtz),
        'alloc_fsize':
        struct.unpack("<q", s[40:48])[0],
        'real_fsize':
        struct.unpack("<q", s[48:56])[0],
        'flags':
        struct.unpack("<d", s[56:64])[0],
        'nlen':
        struct.unpack("B", s[64])[0],
        'nspace':
        struct.unpack("B", s[65])[0],
    }

    attr_bytes = s[66:66 + d['nlen'] * 2]
    try:
        d['name'] = attr_bytes.decode('utf-16').encode('utf-8')
    except:
        d['name'] = 'UnableToDecodeFilename'

    return d