def __init__(self, data): RawStruct.__init__(self, data) self.type_str = "$UNKNOWN" non_resident_flag = self.get_ubyte(8) name_length = self.get_ubyte(9) header_size = 0 if non_resident_flag: if name_length == 0: # Non Resident, No Name header_size = 0x40 else: # Non Resident, Has Name header_size = 0x40 + 2 * name_length else: if name_length == 0: # Resident, No Name header_size = 0x18 else: # Resident, Has Name header_size = 0x18 + 2 * name_length self.header = MftAttrHeader( self.get_chunk(0, header_size) )
def __init__(self, **kwargs): RawStruct.__init__(self, **kwargs) self.inodes_count = self.get_uint_le(0) self.blocks_count = self.get_uint_le(4) self.reserved_blocks_count = self.get_uint_le(8) self.free_blocks_count = self.get_uint_le(12) self.free_inodes_count = self.get_uint_le(16) self.first_data_block = self.get_uint_le(20) self.log_block_size = self.get_uint_le(24) self.log_fragment_size = self.get_int_le(28) self.blocks_per_group = self.get_uint_le(32) self.fragments_per_group = self.get_uint_le(36) self.inodes_per_group = self.get_uint_le(40) self.mtime = self.get_uint_le(44) self.wtime = self.get_uint_le(48) self.mount_count = self.get_ushort_le(52) self.max_mount_count = self.get_ushort_le(54) self.magic = self.get_ushort_le(56) self.state = self.get_ushort_le(58) self.errors = self.get_ushort_le(60) self.minor_revision_level = self.get_ushort_le(62) self.lastcheck = self.get_uint_le(64) self.checkinterval = self.get_uint_le(68) self.creator_os = self.get_uint_le(72) self.revision_level = self.get_uint_le(76) self.default_resuid = self.get_ushort_le(80) self.default_resgid = self.get_ushort_le(82)
def __init__(self, data): RawStruct.__init__(self, data) self.type = self.get_uint_le(0) self.length = self.get_uint_le(0x4) self.non_resident_flag = self.get_uchar(0x08) # 0 - resident, 1 - not self.length_of_name = self.get_uchar(0x09) # Used only for ADS self.offset_to_name = self.get_ushort_le(0x0A) # Used only for ADS # (Compressed, Encrypted, Sparse) self.flags = self.get_ushort_le(0x0C) self.identifier = self.get_ushort_le(0x0E) if (self.non_resident_flag): # Attribute is Non-Resident self.lowest_vcn = self.get_ulonglong_le(0x10) self.highest_vcn = self.get_ulonglong_le(0x18) self.data_run_offset = self.get_ushort_le(0x20) self.comp_unit_size = self.get_ushort_le(0x22) # 4 byte 0x00 padding @ 0x24 self.alloc_size = self.get_ulonglong_le(0x28) self.real_size = self.get_ulonglong_le(0x30) self.data_size = self.get_ulonglong_le(0x38) if (self.length_of_name > 0): self.attr_name = self.get_chunk( 0x40, 2 * self.length_of_name).decode('utf-16') # print self.attr_name.decode('utf-16') else: # Attribute is Resident self.attr_length = self.get_uint_le(0x10) self.attr_offset = self.get_ushort_le(0x14) self.indexed = self.get_uchar(0x16) if (self.length_of_name > 0): self.attr_name = self.get_chunk( 0x18, 2 * self.length_of_name).decode('utf-16')
def __init__(self, data): RawStruct.__init__(self, data) self.type = self.get_uint_le(0) self.length = self.get_uint_le(0x4) self.non_resident_flag = self.get_ubyte(0x08) # 0 - resident, 1 - not self.length_of_name = self.get_ubyte(0x09) # Used only for ADS self.offset_to_name = self.get_ushort_le(0x0A) # Used only for ADS # (Compressed, Encrypted, Sparse) self.flags = self.get_ushort_le(0x0C) self.identifier = self.get_ushort_le(0x0E) if (self.non_resident_flag): # Attribute is Non-Resident self.lowest_vcn = self.get_ulonglong_le(0x10) self.highest_vcn = self.get_ulonglong_le(0x18) self.data_run_offset = self.get_ushort_le(0x20) self.comp_unit_size = self.get_ushort_le(0x22) # 4 byte 0x00 padding @ 0x24 self.alloc_size = self.get_ulonglong_le(0x28) self.real_size = self.get_ulonglong_le(0x30) self.data_size = self.get_ulonglong_le(0x38) if (self.length_of_name > 0): self.attr_name = self.get_chunk( 0x40, 2 * self.length_of_name).decode('utf-16') # print self.attr_name.decode('utf-16') else: # Attribute is Resident self.attr_length = self.get_uint_le(0x10) self.attr_offset = self.get_ushort_le(0x14) self.indexed = self.get_ubyte(0x16) if (self.length_of_name > 0): self.attr_name = self.get_chunk( 0x18, 2 * self.length_of_name).decode('utf-16')
def __init__(self, data=None, offset=None, length=None, filename=None): RawStruct.__init__(self, data=data, offset=offset, length=length, filename=filename) self.oem_id = self.get_string(3, 8) self.bpb = BIOS_PARAMETER_BLOCK( self.get_ushort_le(0x0B), # bytes_per_sector self.get_ubyte(0x0D), # sectors_per_cluster self.get_ushort_le(0x0E), # reserved_sectors self.get_ubyte(0x15), # media_type self.get_ushort_le(0x18), # sectors_per_track self.get_ushort_le(0x1A), # heads self.get_uint_le(0x1C), # hidden_sectors self.get_ulonglong_le(0x28), # total sectors ) self.extended_bpb = EXTENDED_BIOS_PARAMETER_BLOCK( self.get_ulonglong_le(0x30), # mft_cluster self.get_ulonglong_le(0x38), # mft_mirror_cluster self.get_byte(0x40), # clusters_per_mft self.get_ubyte(0x44), # clusters_per_index self.get_ulonglong_le(0x48), # volume_serial )
def __init__( self, data=None, offset=None, length=None, filename=None, index=None ): RawStruct.__init__( self, data=data, filename=filename, offset=offset, length=length ) self.index = index self.attributes = [] self.fname_str = "" self.header = MFT_RECORD_HEADER( self.get_string(0, 4), # signature self.get_ushort_le(4), # upd_seq_array_offset self.get_ushort_le(6), # upd_seq_array_size self.get_ulonglong_le(8), # logfile_seq_number self.get_ushort_le(16), # seq_number self.get_ushort_le(18), # hard_link_count self.get_ushort_le(20), # first_attr_offset self.get_ushort_le(22), # flags self.get_uint_le(24), # used_size self.get_ushort_le(28), # allocated_size self.get_ulonglong_le(30), # base_file_record self.get_ushort_le(38), # next_attr_id self.get_uint_le(42) # mft_record_number ) self.name_str = self._get_entry_name(self.index) self._load_attributes()
def __init__(self, data=None, offset=None, length=None, filename=None, index=None): RawStruct.__init__(self, data=data, filename=filename, offset=offset, length=length) self.index = index self.attributes = [] self.fname_str = "" self.header = MFT_RECORD_HEADER( self.get_string(0, 4), # signature self.get_ushort_le(4), # upd_seq_array_offset self.get_ushort_le(6), # upd_seq_array_size self.get_ulonglong_le(8), # logfile_seq_number self.get_ushort_le(16), # seq_number self.get_ushort_le(18), # hard_link_count self.get_ushort_le(20), # first_attr_offset self.get_ushort_le(22), # flags self.get_uint_le(24), # used_size self.get_ushort_le(28), # allocated_size self.get_ulonglong_le(30), # base_file_record self.get_ushort_le(38), # next_attr_id self.get_uint_le(42) # mft_record_number ) self.name_str = self._get_entry_name(self.index) self._load_attributes()
def __init__(self, data=None, offset=None, length=None, filename=None): RawStruct.__init__( self, data=data, offset=offset, length=length, filename=filename ) self.oem_id = self.get_string(3, 8) self.bpb = BIOS_PARAMETER_BLOCK( self.get_ushort_le(0x0B), # bytes_per_sector self.get_ubyte(0x0D), # sectors_per_cluster self.get_ushort_le(0x0E), # reserved_sectors self.get_ubyte(0x15), # media_type self.get_ushort_le(0x18), # sectors_per_track self.get_ushort_le(0x1A), # heads self.get_uint_le(0x1C), # hidden_sectors self.get_ulonglong_le(0x28), # total sectors ) self.extended_bpb = EXTENDED_BIOS_PARAMETER_BLOCK( self.get_ulonglong_le(0x30), # mft_cluster self.get_ulonglong_le(0x38), # mft_mirror_cluster self.get_byte(0x40), # clusters_per_mft self.get_ubyte(0x44), # clusters_per_index self.get_ulonglong_le(0x48), # volume_serial )
def __init__( self, data=None, offset=None, filename=None ): RawStruct.__init__( self, data=data, offset=offset, length=BPB_SIZE + EXTENDED_BPB_SIZE, filename=filename ) self.bytes_per_sector = self.get_ushort_le(0) self.sectors_per_cluster = self.get_uchar(2) self.reserved_sectors = self.get_ushort_le(3) self.media_descriptor = self.get_uchar(10) self.sectors_per_track = self.get_ushort_le(13) self.number_of_heads = self.get_ushort_le(15) self.hidden_sectors = self.get_uint_le(17) self.total_sectors = self.get_ulonglong_le(29) self.mft_cluster = self.get_ulonglong_le(37) self.mft_mirror_cluster = self.get_ulonglong_le(45) self.clusters_per_mft = self.get_char(53) self.clusters_per_index = self.get_uchar(57) self.volume_serial = self.get_ulonglong_le(58) self.checksum = self.get_uint_le(66)
def __init__(self, data): RawStruct.__init__(self, data) self.type_guid = self.get_uuid_le(0x00) self.part_guid = self.get_uuid_le(0x10) self.first_lba = self.get_ulonglong_le(0x20) self.last_lba = self.get_ulonglong_le(0x28) self.attr_flags = self.get_ulonglong_le(0x30) self.name = self.get_chunk(0x38, 72).decode('utf-16')
def __init__(self, data): RawStruct.__init__(self, data) self.entries = [] for i in range(0, MBR_NUM_PARTS): entry = MbrPartitionEntry( self.get_chunk(PARTITION_ENTRY_SIZE * i, PARTITION_ENTRY_SIZE)) if entry.fields.part_type != 0: self.entries.append(entry)
def __init__(self, data): RawStruct.__init__(self, data) self.__partitions = [] for i in range(0, MBR_NUM_PARTS): entry = MbrPartitionEntry( self.get_chunk(PARTITION_ENTRY_SIZE * i, PARTITION_ENTRY_SIZE) ) if entry.fields.part_type != 0: self.__partitions.append(entry)
def __init__(self, filename=None, load_partition_table=True): RawStruct.__init__(self, filename=filename, length=MBR_SIZE) self.bootstrap = self.get_chunk(0, 446) signature = self.get_ushort_le(MBR_SIG_OFFSET) if signature != MBR_SIGNATURE: raise Exception("Invalid MBR signature") if load_partition_table: self._load_partition_table()
def __init__(self, data): RawStruct.__init__(self, data) self.entries = [] for i in range(0, 4): entry = MbrPartitionEntry( self.get_chunk(PT_ENTRY_SIZE * i, PT_ENTRY_SIZE) ) if (entry.fields.part_type != 0): self.entries.append(entry)
def __init__(self, data=None, offset=None, length=None, filename=None): RawStruct.__init__( self, data=data, offset=offset, length=length, filename=filename ) self.oem_id = self.get_string(3, 8) self.bpb = Bpb(self.get_chunk( BPB_OFFSET, BPB_SIZE + EXTENDED_BPB_SIZE))
def __init__(self, data): RawStruct.__init__(self, data) self.fields = GPT_PARTITION_ENTRY( (c_ubyte * 16).from_buffer_copy( self.get_chunk(0, 16)), # type_guid (c_ubyte * 16).from_buffer_copy( self.get_chunk(0x10, 16)), # part_guid self.get_ulonglong_le(0x20), # first_lba self.get_ulonglong_le(0x28), # last_lba self.get_ulonglong_le(0x30), # attr_flags self.get_chunk(0x38, 72).decode('utf-16'), # name )
def __init__(self, data): RawStruct.__init__(self, data) self.fields = GPT_PARTITION_ENTRY( (c_ubyte * 16).from_buffer_copy(self.get_chunk(0, 16)), # type_guid (c_ubyte * 16).from_buffer_copy(self.get_chunk(0x10, 16)), # part_guid self.get_ulonglong_le(0x20), # first_lba self.get_ulonglong_le(0x28), # last_lba self.get_ulonglong_le(0x30), # attr_flags self.get_chunk(0x38, 72).decode('utf-16'), # name )
def __init__(self, filename=None): RawStruct.__init__( self, filename=filename, length=MBR_SIZE ) signature = self.get_ushort_le(MBR_SIG_OFFSET) if (signature != MBR_SIGNATURE): raise Exception("Invalid MBR signature") self.partition_table = PartitionTable( self.get_chunk(PT_TABLE_OFFSET, PT_TABLE_SIZE) )
def __init__(self, filename=None, load_partition_table=True): RawStruct.__init__( self, filename=filename, length=MBR_SIZE ) self.bootstrap = self.get_chunk(0, 446) signature = self.get_ushort_le(MBR_SIG_OFFSET) if (signature != MBR_SIGNATURE): raise Exception("Invalid MBR signature") if (load_partition_table): self._load_partition_table()
def __init__(self, data): RawStruct.__init__(self, data) self.file_signature = self.get_string(0, 4) self.update_seq_array_offset = self.get_ushort_le(4) self.update_seq_array_size = self.get_ushort_le(6) self.logfile_seq_number = self.get_ulonglong_le(8) self.seq_number = self.get_ushort_le(16) self.hard_link_count = self.get_ushort_le(18) self.first_attr_offset = self.get_ushort_le(20) self.flags = self.get_ushort_le(22) self.used_size = self.get_uint_le(24) self.allocated_size = self.get_ushort_le(28) self.base_file_record = self.get_ulonglong_le(30) self.next_attr_id = self.get_ushort_le(38) self.mft_record_number = self.get_uint_le(42)
def __init__(self, data): RawStruct.__init__(self, data) tmp = self.get_ubyte(2) tmp2 = self.get_ubyte(6) self.fields = MBR_PARTITION_ENTRY( self.get_ubyte(0), # boot indicator self.get_ubyte(1), # starting_head tmp & 0x3F, # starting_sector ((tmp & 0xC0) << 2) + self.get_ubyte(3), # starting cylinder self.get_ubyte(4), # part_type self.get_ubyte(5), # ending_head tmp2 & 0x3F, # ending_sector ((tmp2 & 0xC0) << 2) + self.get_ubyte(7), # ending cylinder self.get_uint_le(8), # relative sector self.get_uint_le(12), # total sectors )
def __init__(self, data): RawStruct.__init__(self, data) self.boot_indicator = self.get_uchar(0) self.starting_head = self.get_uchar(1) tmp = self.get_uchar(2) self.starting_sector = tmp & 0x3F # Only bits 0-5 are used self.starting_cylinder = ((tmp & 0xC0) << 2) + \ self.get_uchar(3) self.part_type = self.get_uchar(4) self.ending_head = self.get_uchar(5) tmp = self.get_uchar(6) self.ending_sector = tmp & 0x3F self.ending_cylinder = ((tmp & 0xC0) << 2) + \ self.get_uchar(7) self.relative_sector = self.get_uint_le(8) self.total_sectors = self.get_uint_le(12) self.part_offset = SECTOR_SIZE*self.relative_sector
def __init__( self, data=None, offset=None, length=None, filename=None, index=None ): RawStruct.__init__( self, data=data, filename=filename, offset=offset, length=length ) self.index = index self.attributes = [] self.fname_str = "" header_data = self.get_chunk(0, MFT_ENTRY_HEADER_SIZE) self.header = MftEntryHeader(header_data) self.name_str = self._get_entry_name(self.index) self._load_attributes()
def __init__(self, data): RawStruct.__init__(self, data) self.signature = self.get_string(0, 8) if (self.signature != GPT_SIGNATURE): raise Exception("Invalid GPT signature") self.revision = self.get_uint_le(0x08) self.header_size = self.get_uint_le(0x0C) self.crc32 = self.get_uint_le(0x10) # 4 bytes @0x14 reserved, must be 0 self.current_lba = self.get_ulonglong_le(0x18) self.backup_lba = self.get_ulonglong_le(0x20) self.first_usable_lba = self.get_ulonglong_le(0x28) self.last_usable_lba = self.get_ulonglong_le(0x30) # Not sure if this is correct self.disk_guid = self.get_uuid_le(0x38) self.part_lba = self.get_ulonglong_le(0x48) self.num_partitions = self.get_uint_le(0x50) self.part_size = self.get_uint_le(0x54) self.part_array_crc32 = self.get_uint_le(0x58)
def __init__(self, data): RawStruct.__init__(self, data) self.signature = self.get_string(0x00, 2) # HFS+ everything is stored in big-endian self.version = self.get_ushort_be(0x02) self.attributes = self.get_uint_be(0x04)