def __init__(self, data):
self.attr_type = fields.Field(br(data, 0, 3))
self.attr_length = fields.Field(br(data, 4, 7))
if not self.attr_type.value == 0xffffffff:
self.non_resident = fields.NonResField(br(data, 8, 8))
self.name_length = fields.Field(br(data, 9, 9))
self.name_offset = fields.Field(br(data, 10, 11))
self.flags = fields.Field(br(data, 12, 13))
self.attr_id = fields.Field(br(data, 14, 15))
if self.non_resident.value:
self.vcn_start = fields.Field(br(data, 16, 23))
self.vcn_end = fields.Field(br(data, 24, 31))
self.runlist_offset = fields.Field(br(data, 32, 33))
self.compression_size = fields.Field(br(data, 34, 35))
self.non_res_unused = fields.Field(br(data, 36, 39))
self.attr_allocated_size = fields.Field(br(data, 40, 47))
self.attr_actual_size = fields.Field(br(data, 47, 55))
self.attr_init_size = fields.Field(br(data, 56, 63))
else:
self.content_size = fields.Field(br(data, 16, 19))
self.content_offset = fields.Field(br(data, 20, 21))
self.content = data[
self.content_offset.value:(
self.content_size.value + self.content_offset.value
)]
def __init__(self, data):
super(FileName, self).__init__(data)
self.parent_dir = fields.Field(br(self.content, 0, 7))
self.file_creation_time = fields.Field(
br(self.content, 8, 15)
)
self.file_modification_time = fields.Field(
br(self.content, 16, 23)
)
self.mft_modification_time = fields.Field(
br(self.content, 24, 31)
)
self.file_access_time = fields.Field(
br(self.content, 32, 39)
)
self.allocated_size = fields.Field(
br(self.content, 40, 47)
)
self.actual_size = fields.Field(
br(self.content, 48, 55)
)
self.content_flags = fields.Field(br(self.content, 56, 59))
self.reparse_value = fields.Field(br(self.content, 60, 63))
self.name_length = fields.Field(br(self.content, 64, 64))
# FIXME: FIND OUT WHAT NAMESPACE IS FOR
self.namespace = fields.Field(br(self.content, 65, 65))
self.name = fields.StringField(
self.content[66:self.content_size.value]
)
def __init__(self, data):
self.raw = data
self.signature = fields.StringField(br(
data,
0,
3,
))
self.fixup_array_offset = fields.Field(br(data, 4, 5))
self.fixup_array_entries = fields.Field(br(data, 6, 7))
self.lsn = fields.Field(br(data, 8, 15))
self.sequence = fields.Field(br(data, 16, 17))
self.link_count = fields.Field(br(data, 18, 19))
self.attribute_offset = fields.Field(br(data, 20, 21))
self.flags = fields.MftFlagsField(br(data, 22, 23))
self.used_size = fields.Field(br(data, 24, 27))
self.allocated_size = fields.Field(br(data, 28, 31))
self.file_ref = fields.Field(br(data, 32, 39))
self.next_attr_id = fields.Field(br(data, 40, 41))
self.attributes_and_fixups = data[42:]
def __init__(self, data):
super(StandardInfo, self).__init__(data)
self.created = fields.WindowsTime(br(self.content, 0, 7))
self.altered = fields.WindowsTime(br(self.content, 8, 15))
self.mft_altered = fields.WindowsTime(br(self.content, 16, 23))
self.accessed = fields.WindowsTime(br(self.content, 24, 31))
# Standard info flags
self.si_flags = fields.SiFlags(br(self.content, 32, 35))
self.version_max = fields.Field(br(self.content, 36, 39))
self.version = fields.Field(br(self.content, 40, 43))
self.class_id = fields.Field(br(self.content, 44, 47))
self.owner_id = fields.Field(br(self.content, 48, 51))
self.security_id = fields.Field(br(self.content, 52, 55))
self.quota = fields.Field(br(self.content, 56, 63))
self.usn = fields.Field(br(self.content, 64, 71))
def __init__(self, data):
self.raw = data
self.signature = fields.StringField(br(data, 0, 3,))
self.fixup_array_offset = fields.Field(br(data, 4, 5))
self.fixup_array_entries = fields.Field(br(data, 6, 7))
self.lsn = fields.Field(br(data, 8, 15))
self.sequence = fields.Field(br(data, 16, 17))
self.link_count = fields.Field(br(data, 18, 19))
self.attribute_offset = fields.Field(br(data, 20, 21))
self.flags = fields.MftFlagsField(br(data, 22, 23))
self.used_size = fields.Field(br(data, 24, 27))
self.allocated_size = fields.Field(br(data, 28, 31))
self.file_ref = fields.Field(br(data, 32, 39))
self.next_attr_id = fields.Field(br(data, 40, 41))
self.attributes_and_fixups = data[42:]