def sds_entries(self): ofs = 0 while len(self._buf) > self.offset() + ofs + 0x14: s = SDS_ENTRY(self._buf, self.offset() + ofs, self) if len(s) != 0: yield s ofs += len(s) ofs = align(ofs, 0x10) else: if ofs % 0x10000 == 0: return else: ofs = align(ofs, 0x10000)
def ACEs(self): ofs = self._off_ACEs for _ in range(self.ace_count()): a = ACE.get_ace(self._buf, self.offset() + ofs, self) yield a ofs += a.size() ofs = align(ofs, 4)
def __init__(self, buf, offset, parent): super(ITEMPOS_FILEENTRY, self).__init__(buf, offset, parent) self.declare_field("word", "size", 0x0) # override self.declare_field("word", "flags", 0x2) if self.flags() & 0xFF == 0xC3: # network share type, printers, etc self.declare_field("string", "long_name", 0x5) return off = 4 self.declare_field("dword", "filesize", off) off += 4 self.declare_field("dosdate", "m_date", off) off += 4 self.declare_field("word", "fileattrs", off) off += 2 self.declare_field("string", "short_name", off) off += len(self.short_name()) + 1 off = align(off, 2) self.declare_field("word", "ext_size", off) off += 2 self.declare_field("word", "ext_version", off) off += 2 if self.ext_version() >= 0x03: off += 4 # unknown self.declare_field("dosdate", "cr_date", off) off += 4 self.declare_field("dosdate", "a_date", off) off += 4 off += 4 # unknown else: self.cr_date = lambda: datetime.datetime.min self.a_date = lambda: datetime.datetime.min if self.ext_version() >= 0x0007: off += 8 # fileref off += 8 # unknown self._off_long_name_size = off off += 2 if self.ext_version() >= 0x0008: off += 4 # unknown self._off_long_name = off off += self.long_name_size() elif self.ext_version() >= 0x0003: self._off_long_name_size = False self._off_long_name = off else: self._off_long_name_size = False self._off_long_name = False
def __init__(self, buf, offset, parent): logging.debug("INDEX ENTRY at %s.", hex(offset)) super(IndexEntry, self).__init__(buf, offset) self.declare_field("qword", "mft_reference", 0x0) self.declare_field("word", "length") self.declare_field("word", "filename_information_length") self.declare_field("dword", "flags") self.declare_field( "binary", "filename_information_buffer", self.current_field_offset(), self.filename_information_length() ) self.declare_field("qword", "child_vcn", align(self.current_field_offset(), 0x8))
def __init__(self, buf, offset, parent): super(SHITEM_UNKNOWNENTRY3, self).__init__(buf, offset, parent, 0x4) self.declare_field("word", "size", 0x0) # most of this is unknown offs = 0x18 self.declare_field("string", "short_name", offs) offs += len(self.short_name()) + 1 offs = align(offs, 2) offs += 0x4C self.declare_field("wstring", "long_name", offs)
def __init__(self, buf, offset, parent, filesize_offset): super(FILEENTRY_FRAGMENT, self).__init__(buf, offset, parent) off = filesize_offset self.declare_field("dword", "filesize", off); off += 4 self.declare_field("dosdate", "m_date", off); off += 4 self.declare_field("word", "fileattrs", off); off += 2 self.declare_field("string", "short_name", off) off += len(self.short_name()) + 1 off = align(off, 2)
def __init__(self, buf, offset, parent): logging.debug("INDEX ENTRY at %s.", hex(offset)) super(IndexEntry, self).__init__(buf, offset) self.declare_field("qword", "mft_reference", 0x0) self.declare_field("word", "length") self.declare_field("word", "filename_information_length") self.declare_field("dword", "flags") self.declare_field("binary", "filename_information_buffer", \ self.current_field_offset(), self.filename_information_length()) self.declare_field("qword", "child_vcn", align(self.current_field_offset(), 0x8))
def __init__(self, buf, offset, parent, filesize_offset): debug("FILEENTRY_FRAGMENT @ %s." % (hex(offset))) super(FILEENTRY_FRAGMENT, self).__init__(buf, offset, parent) off = filesize_offset self.declare_field("dword", "filesize", off); off += 4 self.declare_field("dosdate", "m_date", off); off += 4 self.declare_field("word", "fileattrs", off); off += 2 self.declare_field("string", "short_name", off) off += len(self.short_name()) + 1 off = align(off, 2)
def __init__(self, buf, offset, parent, filesize_offset): super(Fileentry, self).__init__(buf, offset, parent) off = filesize_offset self.declare_field("dword", "filesize", off) off += 4 self.declare_field("dosdate", "m_date", off) off += 4 self.declare_field("word", "fileattrs", off) off += 2 self.declare_field("string", "short_name", off) off += len(self.short_name()) + 1 off = align(off, 2) self.declare_field("word", "ext_size", off) off += 2 self.declare_field("word", "ext_version", off) off += 2 if self.ext_version() >= 0x03: off += 4 # unknown self.declare_field("dosdate", "cr_date", off) off += 4 self.declare_field("dosdate", "a_date", off) off += 4 off += 4 # unknown else: self.cr_date = lambda: datetime.datetime.min self.a_date = lambda: datetime.datetime.min if self.ext_version() >= 0x0007: off += 8 # fileref off += 8 # unknown self._off_long_name_size = off off += 2 if self.ext_version() >= 0x0008: off += 4 # unknown self._off_long_name = off off += self.long_name_size() elif self.ext_version() >= 0x0003: self._off_long_name_size = False self._off_long_name = off else: self._off_long_name_size = False self._off_long_name = False