def init_entry(self, block, kind): self.filerecord = _Unpack48(block[0:6]) self.seqnumber, = struct.unpack("<H", block[6:8]) self.elength,self.alength = struct.unpack("<HH", block[8:12]) self.flags, = struct.unpack("<I", block[12:16]) if self.flags & 1: self.vcn, = struct.unpack("<Q", block[-8:]) else: self.vcn = -1 self.filename = "" if kind == 0x30 and (self.flags & 2) == 0: self.parentdir = _Unpack48(block[0x10:0x16]) self.parentdirseq, = struct.unpack("<H", block[0x16:0x18]) """ self.ctime = _NTFSTime(struct.unpack("<Q", block[0x18:0x20])[0]) self.atime = _NTFSTime(struct.unpack("<Q", block[0x20:0x28])[0]) self.mtime = _NTFSTime(struct.unpack("<Q", block[0x28:0x30])[0]) self.rtime = _NTFSTime(struct.unpack("<Q", block[0x30:0x38])[0]) """ self.time = _NTFSTime(block[0x18:0x38]) self.fnamelength, = struct.unpack("B", block[0x50]) unicodename = block[0x52:0x52+self.fnamelength*2] try: self.filename = unicodename.decode("utf-16-le") except: print "decode error", unicodename self.filename = ""
def init_attribute(self, attr, offset): self.a_location = offset self.parse_header(attr) if self.a_resident == True: self.a_content = _ResidentAttribute(attr, self) else: self.a_content = _NonResidentAttribute(attr, self) self.a_parentdir = _Unpack48(self.a_content.read_data(0, 6)) self.a_parentsq = struct.unpack("<H", self.a_content.read_data(6, 8))[0] self.a_time = _NTFSTime(self.a_content.read_data(8, 40)) self.a_logicalfilesize = struct.unpack( "<Q", self.a_content.read_data(40, 48))[0] self.a_sizeondisk = struct.unpack("<Q", self.a_content.read_data(48, 56))[0] self.a_fflags = struct.unpack("<I", self.a_content.read_data(56, 60))[0] self.a_reparse = struct.unpack("<I", self.a_content.read_data(60, 64))[0] self.a_namelen = struct.unpack("B", self.a_content.read_data(64, 65))[0] self.a_nametype = struct.unpack("B", self.a_content.read_data(65, 66))[0] self.a_name = self.a_content.read_data(66, 66 + (self.a_namelen * 2)) self.a_ascname = self.a_name.decode("utf-16-le")
def init_attribute(self,attr, offset): self.a_location = offset self.parse_header(attr) if self.a_resident == True: self.a_content = _ResidentAttribute(attr, self) else: self.a_content = _NonResidentAttribute(attr, self) self.a_parentdir = _Unpack48(self.a_content.read_data(0,6)) self.a_parentsq = struct.unpack("<H", self.a_content.read_data(6,8))[0] self.a_time = _NTFSTime(self.a_content.read_data(8,40)) self.a_logicalfilesize = struct.unpack("<Q", self.a_content.read_data(40,48))[0] self.a_sizeondisk = struct.unpack("<Q", self.a_content.read_data(48,56))[0] self.a_fflags = struct.unpack("<I", self.a_content.read_data(56,60))[0] self.a_reparse = struct.unpack("<I", self.a_content.read_data(60,64))[0] self.a_namelen = struct.unpack("B", self.a_content.read_data(64,65))[0] self.a_nametype = struct.unpack("B", self.a_content.read_data(65,66))[0] self.a_name = self.a_content.read_data(66,66+(self.a_namelen*2)) self.a_ascname = self.a_name.decode("utf-16-le")