def do_list_folders(self, arg):
'List the found filename folders from the list of entryblocks with folders.'
cargs = self._check_func_args('list_folders', arg)
if cargs['return']:
return
args = cargs['args']
if not self.blocks:
print(
'Master, first you need to look for the blocks and blocks with folders.'
)
print('Please Master, use \'find_entryblocks -F\' first.')
return
listed = 0
for block in self.blocks:
if block['folderids']:
for fid in block['folderids']:
attr = rattr.read_attribute(self.dump_file, fid)
try:
foldername = attr['foldername'].decode('utf-16le')
except:
foldername = attr['foldername']
listed = listed + 1
print(
'{:#010x} {:#06x} {:#06x} {:#06x} {:#010x} {}'.format(
block['offset'], block['entryblock'],
block['nodeid'], block['childid'],
attr['_absolute_offset'], foldername))
print('Master I listed {} folders.'.format(listed))
if not listed:
print(
'Master are you sure you performed \'find_entryblocks -F\' before?'
)
def do_attribute(self, arg):
'Parse the given dump offset (in bytes) as an Attribute.'
cargs = self._check_func_args('attribute', arg)
if cargs['return']:
return
args = cargs['args']
offset = args.dump_offset
attr = rattr.read_attribute(self.dump_file, offset)
rattr.dump_attribute(attr)
def do_list_dataruns(self, arg):
'Retrieve list of all the files dataruns.'
cargs = self._check_func_args('list_dataruns', arg)
if cargs['return']:
return
files = 0
drs = 0
for block in self.blocks:
if block['fnas']:
for fid in block['fnas']:
files = files + 1
attr = rattr.read_attribute(self.dump_file, fid)
dataruns = []
if attr['datarun'] and attr['datarun']['pointers_data']:
for ptr in attr['datarun']['pointers_data']:
if ptr['pointers_data']:
datarun = [(x['blockid'], x['num_blocks'])
for x in ptr['pointers_data']]
dataruns.append((ptr['logical_size'], datarun))
drs = drs + 1
try:
filename = attr['filename'].decode('utf-16le')
except:
filename = attr['filename']
print('{:#010x} {:#06x} {:#06x} {:6} {}'.format(
block['offset'], block['entryblock'], block['nodeid'],
block['counter'], filename))
for length, datarun in dataruns:
print(' size: {:#x} datarun: '.format(length), end='')
for run in datarun:
blockid, num = run
print(' {:#x},{}'.format(blockid, num), end='')
print('')
if files:
print('Master I listed {} data runs from {} files.'.format(
drs, files))
else:
print(
'Master I could not find any file, did you already execute \'find_entryblocks -f\'?'
)
blocks_with_files = blocks_with_file_attributes(args.dump, blocks, step)
print("==================================================================")
print("Blocks found with files found")
print("==================================================================")
for b in blocks_with_files:
print(
'{:#010x} - {:#010x}: {:#06x} {:>3} {:#06x} {:#06x} {:4} {:4}'.format(
b['offset'], b['offset'] + step, b['entryblock'], b['counter'],
b['nodeid'], b['childid'], len(b['fileids']), len(b['folderids'])))
#
print("==================================================================")
print("Files found")
print("==================================================================")
for block in blocks_with_files:
for fid in block['fileids']:
attr = refs_attr.read_attribute(args.dump, fid)
try:
filename = attr['filename'].decode('utf-16le')
except:
filename = attr['filename']
print('{:#010x} {:#06x} {:#06x} {:#06x} {:#010x} {}'.format(
block['offset'], block['entryblock'], block['nodeid'],
block['childid'], attr['absolute_offset'], filename))
#
print("==================================================================")
print("Folders found")
print("==================================================================")
for block in blocks_with_files:
for fid in block['folderids']:
attr = refs_attr.read_attribute(args.dump, fid)
try:
def read_entryblock(dump, offset):
dump.seek(offset, 0)
data = dump.read(EB_HEADER_FORMAT.size)
fields = EB_HEADER_FORMAT.unpack_from(data, 0)
eb = {
'_absolute_offset': offset,
'eb_number': fields[0],
'counter': fields[1],
'node_id': fields[3]
}
eb['_structure_size'] = EB_HEADER_FORMAT.size
data = dump.read(EB_NODE_DESC_FORMAT.size)
fields = EB_NODE_DESC_FORMAT.unpack_from(data, 0)
eb['node_desc_length'] = fields[0]
if eb['node_desc_length'] != 0x08:
eb['num_extents'] = fields[2]
eb['num_records'] = fields[4]
eb['_structure_size'] = (eb['_structure_size'] + eb['node_desc_length'])
eb['_contains_records'] = False
eb['_contains_extents'] = False
if (eb['node_desc_length'] == 0x08 or eb['num_extents'] == 0):
eb['_contains_records'] = True
eb['node_header_offset'] = eb['_structure_size']
dump.seek(offset + eb['_structure_size'], 0)
data = dump.read(EB_NODE_HEADER_FORMAT.size)
fields = EB_NODE_HEADER_FORMAT.unpack_from(data, 0)
eb['header_length'] = fields[0]
eb['offset_free_record'] = fields[1]
eb['free_space'] = fields[2]
eb['header_unknown'] = fields[3]
eb['offset_first_pointer'] = fields[4]
eb['num_pointers'] = fields[5]
eb['offset_end_node'] = fields[6]
if eb['num_pointers']:
pointers_format = Struct('<' + ('L' * eb['num_pointers']))
dump.seek(
offset + eb['node_header_offset'] + eb['offset_first_pointer'],
0)
data = dump.read(pointers_format.size)
fields = pointers_format.unpack_from(data, 0)
eb['pointers'] = fields
eb['pointers_data'] = []
for ptr in eb['pointers']:
ptr_addr = offset + eb['node_header_offset'] + ptr
attr = rattr.read_attribute(dump, ptr_addr)
eb['pointers_data'].append(attr)
eb['_structure_size'] = eb['_structure_size'] + attr['size']
else:
eb['pointers'] = None
eb['pointers_data'] = None
eb['_structure_size'] = (eb['_structure_size'] + eb['header_length'])
elif (eb['node_desc_length'] != 0x08 and eb['num_extents'] != 0):
eb['_contains_extents'] = True
eb['extent_table_offset'] = eb['_structure_size']
dump.seek(offset + eb['_structure_size'], 0)
data = dump.read(EB_EXTENT_TABLE_FORMAT.size)
fields = EB_EXTENT_TABLE_FORMAT.unpack_from(data, 0)
eb['extent_table_length'] = fields[0]
eb['extent_table_unknown0'] = fields[1]
eb['extent_table_unknown1'] = fields[2]
eb['extent_table_unknown2'] = fields[3]
eb['offset_first_extent_pointer'] = fields[4]
eb['num_extent_pointers'] = fields[5]
eb['offset_end_of_extent_pointers'] = fields[6]
eb['extent_table_unknown3'] = fields[7]
eb['_structure_size'] = eb['_structure_size'] + eb[
'extent_table_length']
pointers_format = Struct('<' + ('L' * eb['num_extent_pointers']))
dump.seek(
offset + eb['extent_table_offset'] +
eb['offset_first_extent_pointer'], 0)
data = dump.read(pointers_format.size)
fields = pointers_format.unpack_from(data, 0)
eb['extent_pointers'] = fields
eb['extents'] = []
for ptr in eb['extent_pointers']:
ptr_addr = offset + eb['extent_table_offset'] + ptr
ext = _read_extent(dump, ptr_addr)
eb['extents'].append(ext)
eb['_structure_size'] = eb['_structure_size'] + ext[
'_structure_size']
return eb