def __init__(self, data):
RawStruct.__init__(self, data)
self.type_str = "$UNKNOWN"
non_resident_flag = self.get_ubyte(8)
name_length = self.get_ubyte(9)
header_size = 0
if non_resident_flag:
if name_length == 0:
# Non Resident, No Name
header_size = 0x40
else:
# Non Resident, Has Name
header_size = 0x40 + 2 * name_length
else:
if name_length == 0:
# Resident, No Name
header_size = 0x18
else:
# Resident, Has Name
header_size = 0x18 + 2 * name_length
self.header = MftAttrHeader(
self.get_chunk(0, header_size)
)
def __init__(self, **kwargs):
RawStruct.__init__(self, **kwargs)
self.inodes_count = self.get_uint_le(0)
self.blocks_count = self.get_uint_le(4)
self.reserved_blocks_count = self.get_uint_le(8)
self.free_blocks_count = self.get_uint_le(12)
self.free_inodes_count = self.get_uint_le(16)
self.first_data_block = self.get_uint_le(20)
self.log_block_size = self.get_uint_le(24)
self.log_fragment_size = self.get_int_le(28)
self.blocks_per_group = self.get_uint_le(32)
self.fragments_per_group = self.get_uint_le(36)
self.inodes_per_group = self.get_uint_le(40)
self.mtime = self.get_uint_le(44)
self.wtime = self.get_uint_le(48)
self.mount_count = self.get_ushort_le(52)
self.max_mount_count = self.get_ushort_le(54)
self.magic = self.get_ushort_le(56)
self.state = self.get_ushort_le(58)
self.errors = self.get_ushort_le(60)
self.minor_revision_level = self.get_ushort_le(62)
self.lastcheck = self.get_uint_le(64)
self.checkinterval = self.get_uint_le(68)
self.creator_os = self.get_uint_le(72)
self.revision_level = self.get_uint_le(76)
self.default_resuid = self.get_ushort_le(80)
self.default_resgid = self.get_ushort_le(82)
def __init__(self, data):
RawStruct.__init__(self, data)
self.type = self.get_uint_le(0)
self.length = self.get_uint_le(0x4)
self.non_resident_flag = self.get_uchar(0x08) # 0 - resident, 1 - not
self.length_of_name = self.get_uchar(0x09) # Used only for ADS
self.offset_to_name = self.get_ushort_le(0x0A) # Used only for ADS
# (Compressed, Encrypted, Sparse)
self.flags = self.get_ushort_le(0x0C)
self.identifier = self.get_ushort_le(0x0E)
if (self.non_resident_flag):
# Attribute is Non-Resident
self.lowest_vcn = self.get_ulonglong_le(0x10)
self.highest_vcn = self.get_ulonglong_le(0x18)
self.data_run_offset = self.get_ushort_le(0x20)
self.comp_unit_size = self.get_ushort_le(0x22)
# 4 byte 0x00 padding @ 0x24
self.alloc_size = self.get_ulonglong_le(0x28)
self.real_size = self.get_ulonglong_le(0x30)
self.data_size = self.get_ulonglong_le(0x38)
if (self.length_of_name > 0):
self.attr_name = self.get_chunk(
0x40, 2 * self.length_of_name).decode('utf-16')
# print self.attr_name.decode('utf-16')
else:
# Attribute is Resident
self.attr_length = self.get_uint_le(0x10)
self.attr_offset = self.get_ushort_le(0x14)
self.indexed = self.get_uchar(0x16)
if (self.length_of_name > 0):
self.attr_name = self.get_chunk(
0x18, 2 * self.length_of_name).decode('utf-16')
def __init__(self, data):
RawStruct.__init__(self, data)
self.type = self.get_uint_le(0)
self.length = self.get_uint_le(0x4)
self.non_resident_flag = self.get_ubyte(0x08) # 0 - resident, 1 - not
self.length_of_name = self.get_ubyte(0x09) # Used only for ADS
self.offset_to_name = self.get_ushort_le(0x0A) # Used only for ADS
# (Compressed, Encrypted, Sparse)
self.flags = self.get_ushort_le(0x0C)
self.identifier = self.get_ushort_le(0x0E)
if (self.non_resident_flag):
# Attribute is Non-Resident
self.lowest_vcn = self.get_ulonglong_le(0x10)
self.highest_vcn = self.get_ulonglong_le(0x18)
self.data_run_offset = self.get_ushort_le(0x20)
self.comp_unit_size = self.get_ushort_le(0x22)
# 4 byte 0x00 padding @ 0x24
self.alloc_size = self.get_ulonglong_le(0x28)
self.real_size = self.get_ulonglong_le(0x30)
self.data_size = self.get_ulonglong_le(0x38)
if (self.length_of_name > 0):
self.attr_name = self.get_chunk(
0x40, 2 * self.length_of_name).decode('utf-16')
# print self.attr_name.decode('utf-16')
else:
# Attribute is Resident
self.attr_length = self.get_uint_le(0x10)
self.attr_offset = self.get_ushort_le(0x14)
self.indexed = self.get_ubyte(0x16)
if (self.length_of_name > 0):
self.attr_name = self.get_chunk(
0x18, 2 * self.length_of_name).decode('utf-16')
def __init__(self, data):
RawStruct.__init__(self, data)
self.type_str = "$UNKNOWN"
non_resident_flag = self.get_ubyte(8)
name_length = self.get_ubyte(9)
header_size = 0
if non_resident_flag:
if name_length == 0:
# Non Resident, No Name
header_size = 0x40
else:
# Non Resident, Has Name
header_size = 0x40 + 2 * name_length
else:
if name_length == 0:
# Resident, No Name
header_size = 0x18
else:
# Resident, Has Name
header_size = 0x18 + 2 * name_length
self.header = MftAttrHeader(
self.get_chunk(0, header_size)
)
def __init__(self, data=None, offset=None, length=None, filename=None):
RawStruct.__init__(self,
data=data,
offset=offset,
length=length,
filename=filename)
self.oem_id = self.get_string(3, 8)
self.bpb = BIOS_PARAMETER_BLOCK(
self.get_ushort_le(0x0B), # bytes_per_sector
self.get_ubyte(0x0D), # sectors_per_cluster
self.get_ushort_le(0x0E), # reserved_sectors
self.get_ubyte(0x15), # media_type
self.get_ushort_le(0x18), # sectors_per_track
self.get_ushort_le(0x1A), # heads
self.get_uint_le(0x1C), # hidden_sectors
self.get_ulonglong_le(0x28), # total sectors
)
self.extended_bpb = EXTENDED_BIOS_PARAMETER_BLOCK(
self.get_ulonglong_le(0x30), # mft_cluster
self.get_ulonglong_le(0x38), # mft_mirror_cluster
self.get_byte(0x40), # clusters_per_mft
self.get_ubyte(0x44), # clusters_per_index
self.get_ulonglong_le(0x48), # volume_serial
)
def __init__(
self, data=None, offset=None, length=None,
filename=None, index=None
):
RawStruct.__init__(
self,
data=data,
filename=filename,
offset=offset,
length=length
)
self.index = index
self.attributes = []
self.fname_str = ""
self.header = MFT_RECORD_HEADER(
self.get_string(0, 4), # signature
self.get_ushort_le(4), # upd_seq_array_offset
self.get_ushort_le(6), # upd_seq_array_size
self.get_ulonglong_le(8), # logfile_seq_number
self.get_ushort_le(16), # seq_number
self.get_ushort_le(18), # hard_link_count
self.get_ushort_le(20), # first_attr_offset
self.get_ushort_le(22), # flags
self.get_uint_le(24), # used_size
self.get_ushort_le(28), # allocated_size
self.get_ulonglong_le(30), # base_file_record
self.get_ushort_le(38), # next_attr_id
self.get_uint_le(42) # mft_record_number
)
self.name_str = self._get_entry_name(self.index)
self._load_attributes()
def __init__(self,
data=None,
offset=None,
length=None,
filename=None,
index=None):
RawStruct.__init__(self,
data=data,
filename=filename,
offset=offset,
length=length)
self.index = index
self.attributes = []
self.fname_str = ""
self.header = MFT_RECORD_HEADER(
self.get_string(0, 4), # signature
self.get_ushort_le(4), # upd_seq_array_offset
self.get_ushort_le(6), # upd_seq_array_size
self.get_ulonglong_le(8), # logfile_seq_number
self.get_ushort_le(16), # seq_number
self.get_ushort_le(18), # hard_link_count
self.get_ushort_le(20), # first_attr_offset
self.get_ushort_le(22), # flags
self.get_uint_le(24), # used_size
self.get_ushort_le(28), # allocated_size
self.get_ulonglong_le(30), # base_file_record
self.get_ushort_le(38), # next_attr_id
self.get_uint_le(42) # mft_record_number
)
self.name_str = self._get_entry_name(self.index)
self._load_attributes()
def __init__(self, data=None, offset=None, length=None, filename=None):
RawStruct.__init__(
self,
data=data,
offset=offset,
length=length,
filename=filename
)
self.oem_id = self.get_string(3, 8)
self.bpb = BIOS_PARAMETER_BLOCK(
self.get_ushort_le(0x0B), # bytes_per_sector
self.get_ubyte(0x0D), # sectors_per_cluster
self.get_ushort_le(0x0E), # reserved_sectors
self.get_ubyte(0x15), # media_type
self.get_ushort_le(0x18), # sectors_per_track
self.get_ushort_le(0x1A), # heads
self.get_uint_le(0x1C), # hidden_sectors
self.get_ulonglong_le(0x28), # total sectors
)
self.extended_bpb = EXTENDED_BIOS_PARAMETER_BLOCK(
self.get_ulonglong_le(0x30), # mft_cluster
self.get_ulonglong_le(0x38), # mft_mirror_cluster
self.get_byte(0x40), # clusters_per_mft
self.get_ubyte(0x44), # clusters_per_index
self.get_ulonglong_le(0x48), # volume_serial
)
def __init__(
self,
data=None,
offset=None,
filename=None
):
RawStruct.__init__(
self,
data=data,
offset=offset,
length=BPB_SIZE + EXTENDED_BPB_SIZE,
filename=filename
)
self.bytes_per_sector = self.get_ushort_le(0)
self.sectors_per_cluster = self.get_uchar(2)
self.reserved_sectors = self.get_ushort_le(3)
self.media_descriptor = self.get_uchar(10)
self.sectors_per_track = self.get_ushort_le(13)
self.number_of_heads = self.get_ushort_le(15)
self.hidden_sectors = self.get_uint_le(17)
self.total_sectors = self.get_ulonglong_le(29)
self.mft_cluster = self.get_ulonglong_le(37)
self.mft_mirror_cluster = self.get_ulonglong_le(45)
self.clusters_per_mft = self.get_char(53)
self.clusters_per_index = self.get_uchar(57)
self.volume_serial = self.get_ulonglong_le(58)
self.checksum = self.get_uint_le(66)
def __init__(self, data):
RawStruct.__init__(self, data)
self.type_guid = self.get_uuid_le(0x00)
self.part_guid = self.get_uuid_le(0x10)
self.first_lba = self.get_ulonglong_le(0x20)
self.last_lba = self.get_ulonglong_le(0x28)
self.attr_flags = self.get_ulonglong_le(0x30)
self.name = self.get_chunk(0x38, 72).decode('utf-16')
def __init__(self, data):
RawStruct.__init__(self, data)
self.entries = []
for i in range(0, MBR_NUM_PARTS):
entry = MbrPartitionEntry(
self.get_chunk(PARTITION_ENTRY_SIZE * i, PARTITION_ENTRY_SIZE))
if entry.fields.part_type != 0:
self.entries.append(entry)
def __init__(self, data):
RawStruct.__init__(self, data)
self.__partitions = []
for i in range(0, MBR_NUM_PARTS):
entry = MbrPartitionEntry(
self.get_chunk(PARTITION_ENTRY_SIZE * i, PARTITION_ENTRY_SIZE)
)
if entry.fields.part_type != 0:
self.__partitions.append(entry)
def __init__(self, filename=None, load_partition_table=True):
RawStruct.__init__(self, filename=filename, length=MBR_SIZE)
self.bootstrap = self.get_chunk(0, 446)
signature = self.get_ushort_le(MBR_SIG_OFFSET)
if signature != MBR_SIGNATURE:
raise Exception("Invalid MBR signature")
if load_partition_table:
self._load_partition_table()
def __init__(self, data):
RawStruct.__init__(self, data)
self.entries = []
for i in range(0, 4):
entry = MbrPartitionEntry(
self.get_chunk(PT_ENTRY_SIZE * i, PT_ENTRY_SIZE)
)
if (entry.fields.part_type != 0):
self.entries.append(entry)
def __init__(self, data=None, offset=None, length=None, filename=None):
RawStruct.__init__(
self,
data=data,
offset=offset,
length=length,
filename=filename
)
self.oem_id = self.get_string(3, 8)
self.bpb = Bpb(self.get_chunk(
BPB_OFFSET, BPB_SIZE + EXTENDED_BPB_SIZE))
def __init__(self, data):
RawStruct.__init__(self, data)
self.fields = GPT_PARTITION_ENTRY(
(c_ubyte * 16).from_buffer_copy(
self.get_chunk(0, 16)), # type_guid
(c_ubyte * 16).from_buffer_copy(
self.get_chunk(0x10, 16)), # part_guid
self.get_ulonglong_le(0x20), # first_lba
self.get_ulonglong_le(0x28), # last_lba
self.get_ulonglong_le(0x30), # attr_flags
self.get_chunk(0x38, 72).decode('utf-16'), # name
)
def __init__(self, data):
RawStruct.__init__(self, data)
self.fields = GPT_PARTITION_ENTRY(
(c_ubyte * 16).from_buffer_copy(self.get_chunk(0,
16)), # type_guid
(c_ubyte * 16).from_buffer_copy(self.get_chunk(0x10,
16)), # part_guid
self.get_ulonglong_le(0x20), # first_lba
self.get_ulonglong_le(0x28), # last_lba
self.get_ulonglong_le(0x30), # attr_flags
self.get_chunk(0x38, 72).decode('utf-16'), # name
)
def __init__(self, filename=None):
RawStruct.__init__(
self,
filename=filename,
length=MBR_SIZE
)
signature = self.get_ushort_le(MBR_SIG_OFFSET)
if (signature != MBR_SIGNATURE):
raise Exception("Invalid MBR signature")
self.partition_table = PartitionTable(
self.get_chunk(PT_TABLE_OFFSET, PT_TABLE_SIZE)
)
def __init__(self, filename=None, load_partition_table=True):
RawStruct.__init__(
self,
filename=filename,
length=MBR_SIZE
)
self.bootstrap = self.get_chunk(0, 446)
signature = self.get_ushort_le(MBR_SIG_OFFSET)
if (signature != MBR_SIGNATURE):
raise Exception("Invalid MBR signature")
if (load_partition_table):
self._load_partition_table()
def __init__(self, data):
RawStruct.__init__(self, data)
self.file_signature = self.get_string(0, 4)
self.update_seq_array_offset = self.get_ushort_le(4)
self.update_seq_array_size = self.get_ushort_le(6)
self.logfile_seq_number = self.get_ulonglong_le(8)
self.seq_number = self.get_ushort_le(16)
self.hard_link_count = self.get_ushort_le(18)
self.first_attr_offset = self.get_ushort_le(20)
self.flags = self.get_ushort_le(22)
self.used_size = self.get_uint_le(24)
self.allocated_size = self.get_ushort_le(28)
self.base_file_record = self.get_ulonglong_le(30)
self.next_attr_id = self.get_ushort_le(38)
self.mft_record_number = self.get_uint_le(42)
def __init__(self, data):
RawStruct.__init__(self, data)
tmp = self.get_ubyte(2)
tmp2 = self.get_ubyte(6)
self.fields = MBR_PARTITION_ENTRY(
self.get_ubyte(0), # boot indicator
self.get_ubyte(1), # starting_head
tmp & 0x3F, # starting_sector
((tmp & 0xC0) << 2) + self.get_ubyte(3), # starting cylinder
self.get_ubyte(4), # part_type
self.get_ubyte(5), # ending_head
tmp2 & 0x3F, # ending_sector
((tmp2 & 0xC0) << 2) + self.get_ubyte(7), # ending cylinder
self.get_uint_le(8), # relative sector
self.get_uint_le(12), # total sectors
)
def __init__(self, data):
RawStruct.__init__(self, data)
self.boot_indicator = self.get_uchar(0)
self.starting_head = self.get_uchar(1)
tmp = self.get_uchar(2)
self.starting_sector = tmp & 0x3F # Only bits 0-5 are used
self.starting_cylinder = ((tmp & 0xC0) << 2) + \
self.get_uchar(3)
self.part_type = self.get_uchar(4)
self.ending_head = self.get_uchar(5)
tmp = self.get_uchar(6)
self.ending_sector = tmp & 0x3F
self.ending_cylinder = ((tmp & 0xC0) << 2) + \
self.get_uchar(7)
self.relative_sector = self.get_uint_le(8)
self.total_sectors = self.get_uint_le(12)
self.part_offset = SECTOR_SIZE*self.relative_sector
def __init__(
self, data=None, offset=None, length=None,
filename=None, index=None
):
RawStruct.__init__(
self,
data=data,
filename=filename,
offset=offset,
length=length
)
self.index = index
self.attributes = []
self.fname_str = ""
header_data = self.get_chunk(0, MFT_ENTRY_HEADER_SIZE)
self.header = MftEntryHeader(header_data)
self.name_str = self._get_entry_name(self.index)
self._load_attributes()
def __init__(self, data):
RawStruct.__init__(self, data)
tmp = self.get_ubyte(2)
tmp2 = self.get_ubyte(6)
self.fields = MBR_PARTITION_ENTRY(
self.get_ubyte(0), # boot indicator
self.get_ubyte(1), # starting_head
tmp & 0x3F, # starting_sector
((tmp & 0xC0) << 2) +
self.get_ubyte(3), # starting cylinder
self.get_ubyte(4), # part_type
self.get_ubyte(5), # ending_head
tmp2 & 0x3F, # ending_sector
((tmp2 & 0xC0) << 2) +
self.get_ubyte(7), # ending cylinder
self.get_uint_le(8), # relative sector
self.get_uint_le(12), # total sectors
)
def __init__(self, data):
RawStruct.__init__(self, data)
self.signature = self.get_string(0, 8)
if (self.signature != GPT_SIGNATURE):
raise Exception("Invalid GPT signature")
self.revision = self.get_uint_le(0x08)
self.header_size = self.get_uint_le(0x0C)
self.crc32 = self.get_uint_le(0x10)
# 4 bytes @0x14 reserved, must be 0
self.current_lba = self.get_ulonglong_le(0x18)
self.backup_lba = self.get_ulonglong_le(0x20)
self.first_usable_lba = self.get_ulonglong_le(0x28)
self.last_usable_lba = self.get_ulonglong_le(0x30)
# Not sure if this is correct
self.disk_guid = self.get_uuid_le(0x38)
self.part_lba = self.get_ulonglong_le(0x48)
self.num_partitions = self.get_uint_le(0x50)
self.part_size = self.get_uint_le(0x54)
self.part_array_crc32 = self.get_uint_le(0x58)
def __init__(self, data):
RawStruct.__init__(self, data)
self.signature = self.get_string(0x00, 2)
# HFS+ everything is stored in big-endian
self.version = self.get_ushort_be(0x02)
self.attributes = self.get_uint_be(0x04)