def __init__(self, data):
super(IndexRoot, self).__init__(data)
self.ir_attr_type = fields.AttributeTypeField(
br(self.content, 0, 3), verbose="Type of attribute in index")
self.ir_collation_rule = fields.BaseField(
br(self.content, 4, 7), verbose="Collation sorting rule")
self.ir_index_byte_size = fields.BaseField(
br(self.content, 8, 11), verbose="Index record size (bytes)")
self.ir_index_cluster_size = fields.BaseField(
br(self.content, 12), verbose="Index record size (clusters)")
def __init__(self, data):
super(ObjectId, self).__init__(data)
self.oid_object_id = fields.BaseField(
br(self.content, 0, 15), verbose="Object ID")
self.oid_birth_vol_id = fields.BaseField(
br(self.content, 16, 31), verbose="Birth volume ID")
self.oid_birth_obj_id = fields.BaseField(
br(self.content, 32, 47), verbose="Birth object ID")
self.oid_birth_dom_id = fields.BaseField(
br(self.content, 48, 63), verbose="Birth domain ID")
def __init__(self, data):
super(AttributeList, self).__init__(data)
self.alist_attr_type = fields.AttributeTypeField(
br(self.content, 0, 3), verbose="Attribute type")
self.alist_entry_length = fields.BaseField(
br(self.content, 4, 5), verbose="Entry length")
self.alist_name_length = fields.BaseField(
br(self.content, 6, 6), verbose="Name length")
self.alist_name_offset = fields.BaseField(
br(self.content, 7, 7), verbose="Name offset")
self.alist_vcn_start = fields.BaseField(
br(self.content, 8, 15), verbose="VCN start")
self.alist_file_ref = fields.BaseField(
br(self.content, 16, 23),
verbose="File reference to attribute location")
self.alist_attr_id = fields.BaseField(
br(self.content, 24, 24), verbose="Attribute ID")
def __init__(self, data):
super(ReparsePoint, self).__init__(data)
self.rpoint_flags = fields.BaseField(
br(self.content, 0, 3), verbose="Reparse point flags")
self.rpoint_size = fields.BaseField(
br(self.content, 4, 5), verbose="Size")
#self.rpoint_unused = fields.BaseField(
# br(self.content, 6, 7), verbose="Unused")
self.rpoint_target_name_offset = fields.BaseField(
br(self.content, 8, 9), verbose="Target name offset")
self.rpoint_target_name_length = fields.BaseField(
br(self.content, 10, 11), verbose="Target name length")
self.rpoint_print_name_offset = fields.BaseField(
br(self.content, 12, 13), verbose="Print name offset")
self.rpoint_print_name_length = fields.BaseField(
br(self.content, 14, 15), verbose="Print name length")
def __init__(self, data):
self.attr_type = fields.AttributeTypeField(
br(data, 0, 3), verbose='Attribute type')
self.attr_length = fields.BaseField(
br(data, 4, 7), verbose='Attribute length')
if not self.attr_type.id == 0xffffffff:
self.non_resident = fields.NonResField(
br(data, 8, 8), verbose="Non-resident flag")
self.name_length = fields.BaseField(
br(data, 9, 9), verbose="Name length")
self.name_offset = fields.BaseField(
br(data, 10, 11), verbose="Name offset")
self.flags = fields.BaseField(
br(data, 12, 13), verbose="Attribute flags")
self.attr_id = fields.BaseField(
br(data, 14, 15), verbose="Attribute identifier")
if self.non_resident.value:
self.vcn_start = fields.BaseField(
br(data, 16, 23),
verbose="Virtual cluster number (VCN) start")
self.vcn_end = fields.BaseField(
br(data, 24, 31),
verbose="Virtual cluster number (VCN) end")
self.runlist_offset = fields.BaseField(
br(data, 32, 33), verbose="Runlist offset")
self.compression_size = fields.BaseField(
br(data, 34, 35), verbose="Compression unit size")
#self.non_res_unused = fields.BaseField(
# br(data, 36, 39), verbose="Unused")
self.attr_allocated_size = fields.BaseField(
br(data, 40, 47), verbose="Attribute allocated size")
self.attr_actual_size = fields.BaseField(
br(data, 48, 55), verbose="Attribute actual size")
self.attr_init_size = fields.BaseField(
br(data, 56, 63),
verbose="Initialized size of attribute content")
else:
self.content_size = fields.BaseField(
br(data, 16, 19), verbose="Content size")
self.content_offset = fields.BaseField(
br(data, 20, 21), verbose="Content offset")
self.content = data[
self.content_offset.value:(
self.content_size.value + self.content_offset.value
)]
def __init__(self, data):
super(FileName, self).__init__(data)
self.parent_dir = fields.ParentDirField(
br(self.content, 0, 7), verbose="Parent directory")
self.file_creation_time = fields.WindowsTimeField(
br(self.content, 8, 15),
verbose="Creation time",
)
self.file_modification_time = fields.WindowsTimeField(
br(self.content, 16, 23),
verbose="File modification time",
)
self.mft_modification_time = fields.WindowsTimeField(
br(self.content, 24, 31),
verbose="MFT modification time",
)
self.file_access_time = fields.WindowsTimeField(
br(self.content, 32, 39),
verbose="File access time",)
self.allocated_size = fields.BaseField(
br(self.content, 40, 47),
verbose="Allocated size",)
self.actual_size = fields.BaseField(
br(self.content, 48, 55),
verbose="Actual size")
self.content_flags = fields.BaseField(
br(self.content, 56, 59), verbose="Content flags")
self.reparse_value = fields.BaseField(
br(self.content, 60, 63), verbose="Reparse value")
self.name_length = fields.BaseField(
br(self.content, 64, 64), verbose="Name length")
# FIXME: FIND OUT WHAT NAMESPACE IS FOR
self.namespace = fields.BaseField(
br(self.content, 65, 65), verbose="Namespace")
self.name = fields.FileNameField(
self.content[66:self.content_size.value],
verbose="File name",
)
def __init__(self, data):
super(StandardInfo, self).__init__(data)
self.created = fields.WindowsTimeField(
br(self.content, 0, 7), verbose="Created")
self.altered = fields.WindowsTimeField(
br(self.content, 8, 15), verbose="Altered")
self.mft_altered = fields.WindowsTimeField(
br(self.content, 16, 23), verbose="MFT altered")
self.accessed = fields.WindowsTimeField(
br(self.content, 24, 31), verbose="Accessed")
# Standard info flags
self.si_flags = fields.SiFlagsField(
br(self.content, 32, 35), verbose="Standard information flags")
self.version_max = fields.BaseField(
br(self.content, 36, 39), verbose="Maximum versions")
self.version = fields.BaseField(
br(self.content, 40, 43), verbose="Version")
self.class_id = fields.BaseField(
br(self.content, 44, 47), verbose="Class ID")
self.owner_id = fields.BaseField(
br(self.content, 48, 51), verbose="Owner ID")
self.security_id = fields.BaseField(
br(self.content, 52, 55), verbose="Security ID")
self.quota = fields.BaseField(
br(self.content, 56, 63), verbose="Quota")
# FIXME: Change the verbose name
self.usn = fields.BaseField(br(self.content, 64, 71), verbose="USN")
def __init__(self, data):
self.raw = data
self.signature = fields.StringField(br(data, 0, 3))
self.fixup_array_offset = fields.BaseField(br(data, 4, 5))
self.fixup_array_entries = fields.BaseField(br(data, 6, 7))
self.lsn = fields.BaseField(br(data, 8, 15))
self.sequence = fields.BaseField(br(data, 16, 17))
self.link_count = fields.BaseField(br(data, 18, 19))
self.attribute_offset = fields.BaseField(br(data, 20, 21))
self.flags = fields.MftFlagsField(br(data, 22, 23))
self.used_size = fields.BaseField(br(data, 24, 27))
self.allocated_size = fields.BaseField(br(data, 28, 31))
self.file_ref = fields.BaseField(br(data, 32, 39))
self.next_attr_id = fields.BaseField(br(data, 40, 41))
self.attributes_and_fixups = data[42:]