def init_entry(self, block, kind):
self.filerecord = _Unpack48(block[0:6])
self.seqnumber, = struct.unpack("<H", block[6:8])
self.elength,self.alength = struct.unpack("<HH", block[8:12])
self.flags, = struct.unpack("<I", block[12:16])
if self.flags & 1:
self.vcn, = struct.unpack("<Q", block[-8:])
else:
self.vcn = -1
self.filename = ""
if kind == 0x30 and (self.flags & 2) == 0:
self.parentdir = _Unpack48(block[0x10:0x16])
self.parentdirseq, = struct.unpack("<H", block[0x16:0x18])
"""
self.ctime = _NTFSTime(struct.unpack("<Q", block[0x18:0x20])[0])
self.atime = _NTFSTime(struct.unpack("<Q", block[0x20:0x28])[0])
self.mtime = _NTFSTime(struct.unpack("<Q", block[0x28:0x30])[0])
self.rtime = _NTFSTime(struct.unpack("<Q", block[0x30:0x38])[0])
"""
self.time = _NTFSTime(block[0x18:0x38])
self.fnamelength, = struct.unpack("B", block[0x50])
unicodename = block[0x52:0x52+self.fnamelength*2]
try:
self.filename = unicodename.decode("utf-16-le")
except:
print "decode error", unicodename
self.filename = ""
def init_attribute(self, attr, offset):
self.a_location = offset
self.parse_header(attr)
if self.a_resident == True:
self.a_content = _ResidentAttribute(attr, self)
else:
self.a_content = _NonResidentAttribute(attr, self)
self.a_parentdir = _Unpack48(self.a_content.read_data(0, 6))
self.a_parentsq = struct.unpack("<H", self.a_content.read_data(6,
8))[0]
self.a_time = _NTFSTime(self.a_content.read_data(8, 40))
self.a_logicalfilesize = struct.unpack(
"<Q", self.a_content.read_data(40, 48))[0]
self.a_sizeondisk = struct.unpack("<Q",
self.a_content.read_data(48, 56))[0]
self.a_fflags = struct.unpack("<I", self.a_content.read_data(56,
60))[0]
self.a_reparse = struct.unpack("<I", self.a_content.read_data(60,
64))[0]
self.a_namelen = struct.unpack("B", self.a_content.read_data(64,
65))[0]
self.a_nametype = struct.unpack("B", self.a_content.read_data(65,
66))[0]
self.a_name = self.a_content.read_data(66, 66 + (self.a_namelen * 2))
self.a_ascname = self.a_name.decode("utf-16-le")
def init_attribute(self,attr, offset):
self.a_location = offset
self.parse_header(attr)
if self.a_resident == True:
self.a_content = _ResidentAttribute(attr, self)
else:
self.a_content = _NonResidentAttribute(attr, self)
self.a_parentdir = _Unpack48(self.a_content.read_data(0,6))
self.a_parentsq = struct.unpack("<H", self.a_content.read_data(6,8))[0]
self.a_time = _NTFSTime(self.a_content.read_data(8,40))
self.a_logicalfilesize = struct.unpack("<Q", self.a_content.read_data(40,48))[0]
self.a_sizeondisk = struct.unpack("<Q", self.a_content.read_data(48,56))[0]
self.a_fflags = struct.unpack("<I", self.a_content.read_data(56,60))[0]
self.a_reparse = struct.unpack("<I", self.a_content.read_data(60,64))[0]
self.a_namelen = struct.unpack("B", self.a_content.read_data(64,65))[0]
self.a_nametype = struct.unpack("B", self.a_content.read_data(65,66))[0]
self.a_name = self.a_content.read_data(66,66+(self.a_namelen*2))
self.a_ascname = self.a_name.decode("utf-16-le")
