def parse_resident_attr(self, data, offset, attr):
attr_desc = Schema()
attr_desc.add("content_size", offset + 16, 4)
attr_desc.add("content_offset", offset + 20, 2)
attr_desc.add("indexed_flag", offset + 22, 1)
attr2 = Utils.schema_to_map(attr_desc,
data,
endian=Utils.LITTLE_ENDIAN)
self.copy_map(attr2, attr)
return attr
def parse_attr_header(self, data, offset):
attr_desc = Schema()
attr_desc.add("attr_type_id", offset, 4)
attr_desc.add("length", offset + 4, 4)
attr_desc.add("non-resident", offset + 8, 1)
attr_desc.add("name_len", offset + 9, 1)
attr_desc.add("offset_name", offset + 10, 2)
attr_desc.add("flags", offset + 12, 2)
attr_desc.add("attr_id", 14, 2)
attr = Utils.schema_to_map(attr_desc, data, endian=Utils.LITTLE_ENDIAN)
return attr
def parse_mft(self, start_mft):
data = self.read(start_mft)
mft_desc = Schema()
mft_desc.add("signature", 0, 4, dtype="str")
mft_desc.add("offset_fixup_array", 4, 2)
mft_desc.add("count_of_fixup_array", 6, 2)
mft_desc.add("lsn", 8, 8)
mft_desc.add("seq_value", 16, 2)
mft_desc.add("hard_link_count", 18, 2)
mft_desc.add("offset_first_attr", 20, 2)
mft_desc.add("flags", 22, 2)
mft_desc.add("used_size_of_mft_etnry", 24, 4)
mft_desc.add("allocated_size_of_mft_entry", 28, 4)
mft_desc.add("file_ref_to_base", 32, 8)
mft_desc.add("next_attr_id", 40, 2)
mft = Utils.schema_to_map(mft_desc, data, endian=Utils.LITTLE_ENDIAN)
fixup_start = 510
fixup_array = mft["offset_fixup_array"] + 2
for i in range(mft["count_of_fixup_array"]):
data[fixup_start] = data[fixup_array]
data[fixup_start + 1] = data[fixup_array + 1]
fixup_start += 512
return self.parse_attrs(data, mft["offset_first_attr"])
def parse_vbr(self, data):
vbr_desc = Schema()
vbr_desc.add("oem_name", 3, 8, dtype="str")
vbr_desc.add("bps", 11, 2)
vbr_desc.add("spc", 13, 1)
vbr_desc.add("total_sectors", 40, 8)
vbr_desc.add("mft", 48, 8)
vbr_desc.add("mftmirr", 56, 4)
vbr_desc.add("mft_entry_size", 64, 1)
vbr_desc.add("index_record_size", 68, 1)
return Utils.schema_to_map(vbr_desc, data, endian=Utils.LITTLE_ENDIAN)
def parse_non_resident_attr(self, data, offset, attr):
attr_desc = Schema()
attr_desc.add("start_vcn", offset + 16, 8)
attr_desc.add("end_vcn", offset + 24, 8)
attr_desc.add("runlists_offset", offset + 32, 2)
attr_desc.add("comp_unit_size", offset + 34, 2)
attr_desc.add("alloc_size", offset + 40, 8)
attr_desc.add("real_size", offset + 48, 8)
attr_desc.add("init_size", offset + 56, 8)
attr2 = Utils.schema_to_map(attr_desc,
data,
endian=Utils.LITTLE_ENDIAN)
self.copy_map(attr2, attr)
runlists = self.parse_runlists(data, offset + attr2["runlists_offset"])
attr["runlists"] = runlists
return attr