def sds_entries(self):
ofs = 0
while len(self._buf) > self.offset() + ofs + 0x14:
s = SDS_ENTRY(self._buf, self.offset() + ofs, self)
if len(s) != 0:
yield s
ofs += len(s)
ofs = align(ofs, 0x10)
else:
if ofs % 0x10000 == 0:
return
else:
ofs = align(ofs, 0x10000)
def sds_entries(self):
ofs = 0
while len(self._buf) > self.offset() + ofs + 0x14:
s = SDS_ENTRY(self._buf, self.offset() + ofs, self)
if len(s) != 0:
yield s
ofs += len(s)
ofs = align(ofs, 0x10)
else:
if ofs % 0x10000 == 0:
return
else:
ofs = align(ofs, 0x10000)
def ACEs(self):
ofs = self._off_ACEs
for _ in range(self.ace_count()):
a = ACE.get_ace(self._buf, self.offset() + ofs, self)
yield a
ofs += a.size()
ofs = align(ofs, 4)
def ACEs(self):
ofs = self._off_ACEs
for _ in range(self.ace_count()):
a = ACE.get_ace(self._buf, self.offset() + ofs, self)
yield a
ofs += a.size()
ofs = align(ofs, 4)
def __init__(self, buf, offset, parent):
super(ITEMPOS_FILEENTRY, self).__init__(buf, offset, parent)
self.declare_field("word", "size", 0x0) # override
self.declare_field("word", "flags", 0x2)
if self.flags() & 0xFF == 0xC3:
# network share type, printers, etc
self.declare_field("string", "long_name", 0x5)
return
off = 4
self.declare_field("dword", "filesize", off)
off += 4
self.declare_field("dosdate", "m_date", off)
off += 4
self.declare_field("word", "fileattrs", off)
off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
self.declare_field("word", "ext_size", off)
off += 2
self.declare_field("word", "ext_version", off)
off += 2
if self.ext_version() >= 0x03:
off += 4 # unknown
self.declare_field("dosdate", "cr_date", off)
off += 4
self.declare_field("dosdate", "a_date", off)
off += 4
off += 4 # unknown
else:
self.cr_date = lambda: datetime.datetime.min
self.a_date = lambda: datetime.datetime.min
if self.ext_version() >= 0x0007:
off += 8 # fileref
off += 8 # unknown
self._off_long_name_size = off
off += 2
if self.ext_version() >= 0x0008:
off += 4 # unknown
self._off_long_name = off
off += self.long_name_size()
elif self.ext_version() >= 0x0003:
self._off_long_name_size = False
self._off_long_name = off
else:
self._off_long_name_size = False
self._off_long_name = False
def __init__(self, buf, offset, parent):
super(ITEMPOS_FILEENTRY, self).__init__(buf, offset, parent)
self.declare_field("word", "size", 0x0) # override
self.declare_field("word", "flags", 0x2)
if self.flags() & 0xFF == 0xC3:
# network share type, printers, etc
self.declare_field("string", "long_name", 0x5)
return
off = 4
self.declare_field("dword", "filesize", off)
off += 4
self.declare_field("dosdate", "m_date", off)
off += 4
self.declare_field("word", "fileattrs", off)
off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
self.declare_field("word", "ext_size", off)
off += 2
self.declare_field("word", "ext_version", off)
off += 2
if self.ext_version() >= 0x03:
off += 4 # unknown
self.declare_field("dosdate", "cr_date", off)
off += 4
self.declare_field("dosdate", "a_date", off)
off += 4
off += 4 # unknown
else:
self.cr_date = lambda: datetime.datetime.min
self.a_date = lambda: datetime.datetime.min
if self.ext_version() >= 0x0007:
off += 8 # fileref
off += 8 # unknown
self._off_long_name_size = off
off += 2
if self.ext_version() >= 0x0008:
off += 4 # unknown
self._off_long_name = off
off += self.long_name_size()
elif self.ext_version() >= 0x0003:
self._off_long_name_size = False
self._off_long_name = off
else:
self._off_long_name_size = False
self._off_long_name = False
def __init__(self, buf, offset, parent):
logging.debug("INDEX ENTRY at %s.", hex(offset))
super(IndexEntry, self).__init__(buf, offset)
self.declare_field("qword", "mft_reference", 0x0)
self.declare_field("word", "length")
self.declare_field("word", "filename_information_length")
self.declare_field("dword", "flags")
self.declare_field(
"binary", "filename_information_buffer", self.current_field_offset(), self.filename_information_length()
)
self.declare_field("qword", "child_vcn", align(self.current_field_offset(), 0x8))
def __init__(self, buf, offset, parent):
super(SHITEM_UNKNOWNENTRY3, self).__init__(buf, offset, parent, 0x4)
self.declare_field("word", "size", 0x0)
# most of this is unknown
offs = 0x18
self.declare_field("string", "short_name", offs)
offs += len(self.short_name()) + 1
offs = align(offs, 2)
offs += 0x4C
self.declare_field("wstring", "long_name", offs)
def __init__(self, buf, offset, parent):
super(SHITEM_UNKNOWNENTRY3, self).__init__(buf, offset, parent, 0x4)
self.declare_field("word", "size", 0x0)
# most of this is unknown
offs = 0x18
self.declare_field("string", "short_name", offs)
offs += len(self.short_name()) + 1
offs = align(offs, 2)
offs += 0x4C
self.declare_field("wstring", "long_name", offs)
def __init__(self, buf, offset, parent, filesize_offset):
super(FILEENTRY_FRAGMENT, self).__init__(buf, offset, parent)
off = filesize_offset
self.declare_field("dword", "filesize", off); off += 4
self.declare_field("dosdate", "m_date", off); off += 4
self.declare_field("word", "fileattrs", off); off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
def __init__(self, buf, offset, parent):
logging.debug("INDEX ENTRY at %s.", hex(offset))
super(IndexEntry, self).__init__(buf, offset)
self.declare_field("qword", "mft_reference", 0x0)
self.declare_field("word", "length")
self.declare_field("word", "filename_information_length")
self.declare_field("dword", "flags")
self.declare_field("binary", "filename_information_buffer", \
self.current_field_offset(),
self.filename_information_length())
self.declare_field("qword", "child_vcn",
align(self.current_field_offset(), 0x8))
def __init__(self, buf, offset, parent, filesize_offset):
debug("FILEENTRY_FRAGMENT @ %s." % (hex(offset)))
super(FILEENTRY_FRAGMENT, self).__init__(buf, offset, parent)
off = filesize_offset
self.declare_field("dword", "filesize", off); off += 4
self.declare_field("dosdate", "m_date", off); off += 4
self.declare_field("word", "fileattrs", off); off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
def __init__(self, buf, offset, parent, filesize_offset):
super(Fileentry, self).__init__(buf, offset, parent)
off = filesize_offset
self.declare_field("dword", "filesize", off)
off += 4
self.declare_field("dosdate", "m_date", off)
off += 4
self.declare_field("word", "fileattrs", off)
off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
self.declare_field("word", "ext_size", off)
off += 2
self.declare_field("word", "ext_version", off)
off += 2
if self.ext_version() >= 0x03:
off += 4 # unknown
self.declare_field("dosdate", "cr_date", off)
off += 4
self.declare_field("dosdate", "a_date", off)
off += 4
off += 4 # unknown
else:
self.cr_date = lambda: datetime.datetime.min
self.a_date = lambda: datetime.datetime.min
if self.ext_version() >= 0x0007:
off += 8 # fileref
off += 8 # unknown
self._off_long_name_size = off
off += 2
if self.ext_version() >= 0x0008:
off += 4 # unknown
self._off_long_name = off
off += self.long_name_size()
elif self.ext_version() >= 0x0003:
self._off_long_name_size = False
self._off_long_name = off
else:
self._off_long_name_size = False
self._off_long_name = False
def __init__(self, buf, offset, parent, filesize_offset):
super(Fileentry, self).__init__(buf, offset, parent)
off = filesize_offset
self.declare_field("dword", "filesize", off)
off += 4
self.declare_field("dosdate", "m_date", off)
off += 4
self.declare_field("word", "fileattrs", off)
off += 2
self.declare_field("string", "short_name", off)
off += len(self.short_name()) + 1
off = align(off, 2)
self.declare_field("word", "ext_size", off)
off += 2
self.declare_field("word", "ext_version", off)
off += 2
if self.ext_version() >= 0x03:
off += 4 # unknown
self.declare_field("dosdate", "cr_date", off)
off += 4
self.declare_field("dosdate", "a_date", off)
off += 4
off += 4 # unknown
else:
self.cr_date = lambda: datetime.datetime.min
self.a_date = lambda: datetime.datetime.min
if self.ext_version() >= 0x0007:
off += 8 # fileref
off += 8 # unknown
self._off_long_name_size = off
off += 2
if self.ext_version() >= 0x0008:
off += 4 # unknown
self._off_long_name = off
off += self.long_name_size()
elif self.ext_version() >= 0x0003:
self._off_long_name_size = False
self._off_long_name = off
else:
self._off_long_name_size = False
self._off_long_name = False
