ntfs

package module
Version: v0.0.0-...-d467c5e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2019 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Implement some easy APIs.

Index

Constants

View Source
const NTFS_PROFILE = `` /* 8535-byte string literal not displayed */

Variables

View Source
var (
	LZNT1_debug = false

	NTFS_DEBUG *bool
)
View Source
var (
	COMPRESSED_MASK = uint16(1 << 15)
	SIGNATURE_MASK  = uint16(3 << 12)
	SIZE_MASK       = uint16(1<<12) - 1
)

Functions

func AddParsers

func AddParsers(profile *vtypes.Profile)

func Debug

func Debug(arg interface{})

func DebugPrint

func DebugPrint(fmt_str string, v ...interface{})

func GetDataForPath

func GetDataForPath(path string, root *MFT_ENTRY) (io.ReaderAt, error)

func GetFullPath

func GetFullPath(mft_entry *MFT_ENTRY) (string, error)

Traverse the mft entry and attempt to find its owner until the root. We return the full path of the MFT entry.

func GetProfile

func GetProfile() (*vtypes.Profile, error)

func LZNT1Decompress

func LZNT1Decompress(in []byte) ([]byte, error)

func LZNT1Printf

func LZNT1Printf(fmt_str string, args ...interface{})

func ParseMFTId

func ParseMFTId(mft_id string) (mft_idx int64, attr int64, id int64, err error)

func Printf

func Printf(fmt_str string, args ...interface{})

func UTF16ToString

func UTF16ToString(bytes []byte) string

Types

type ATTRIBUTE_LIST_ENTRY

type ATTRIBUTE_LIST_ENTRY struct {
	vtypes.Object
	// contains filtered or unexported fields
}

func (*ATTRIBUTE_LIST_ENTRY) Attributes

func (self *ATTRIBUTE_LIST_ENTRY) Attributes() []*NTFS_ATTRIBUTE

func (*ATTRIBUTE_LIST_ENTRY) GetAttribute

func (self *ATTRIBUTE_LIST_ENTRY) GetAttribute() (*NTFS_ATTRIBUTE, error)

type DATA

type DATA struct {
	*NTFS_ATTRIBUTE
}

type EvictCallback

type EvictCallback func(key int, value interface{})

EvictCallback is used to get a callback when a cache entry is evicted

type FILE_NAME

type FILE_NAME struct {
	vtypes.Object
}

func (*FILE_NAME) DebugString

func (self *FILE_NAME) DebugString() string

func (*FILE_NAME) Name

func (self *FILE_NAME) Name() string

type FileInfo

type FileInfo struct {
	MFTId    string
	Mtime    time.Time
	Atime    time.Time
	Ctime    time.Time
	Name     string
	NameType string
	IsDir    bool
	Size     int64
}

func ListDir

func ListDir(root *MFT_ENTRY) []*FileInfo

type FilenameInfo

type FilenameInfo struct {
	Times TimeStamps
	Type  string
	Name  string
}

type GenericRun

type GenericRun struct {
	Offset int64
	End    int64
	Reader io.ReaderAt
}

type INDEX_NODE_HEADER

type INDEX_NODE_HEADER struct {
	vtypes.Object
}

type INDEX_RECORD_ENTRY

type INDEX_RECORD_ENTRY struct {
	vtypes.Object
}

type LRU

type LRU struct {
	// contains filtered or unexported fields
}

LRU implements a thread safe fixed size LRU cache

func NewLRU

func NewLRU(size int, onEvict EvictCallback) (*LRU, error)

NewLRU constructs an LRU of the given size

func (*LRU) Add

func (c *LRU) Add(key int, value interface{}) (evicted bool)

Add adds a value to the cache. Returns true if an eviction occurred.

func (*LRU) Contains

func (c *LRU) Contains(key int) (ok bool)

Contains checks if a key is in the cache, without updating the recent-ness or deleting it for being stale.

func (*LRU) Get

func (c *LRU) Get(key int) (value interface{}, ok bool)

Get looks up a key's value from the cache.

func (*LRU) GetOldest

func (c *LRU) GetOldest() (key int, value interface{}, ok bool)

GetOldest returns the oldest entry

func (*LRU) Keys

func (c *LRU) Keys() []int

Keys returns a slice of the keys in the cache, from oldest to newest.

func (*LRU) Len

func (c *LRU) Len() int

Len returns the number of items in the cache.

func (*LRU) Peek

func (c *LRU) Peek(key int) (value interface{}, ok bool)

Peek returns the key value (or undefined if not found) without updating the "recently used"-ness of the key.

func (*LRU) Purge

func (c *LRU) Purge()

Purge is used to completely clear the cache.

func (*LRU) Remove

func (c *LRU) Remove(key int) (present bool)

Remove removes the provided key from the cache, returning if the key was contained.

func (*LRU) RemoveOldest

func (c *LRU) RemoveOldest() (key int, value interface{}, ok bool)

RemoveOldest removes the oldest item from the cache.

type MFT_ENTRY

type MFT_ENTRY struct {
	vtypes.Object
	// contains filtered or unexported fields
}

Represents a single MFT entry. This can only be created using NTFS_BOOT_SECTOR.MTF().

func GetRootMFTEntry

func GetRootMFTEntry(image io.ReaderAt) (*MFT_ENTRY, error)

func (*MFT_ENTRY) Attributes

func (self *MFT_ENTRY) Attributes() []*NTFS_ATTRIBUTE

func (*MFT_ENTRY) Data

func (self *MFT_ENTRY) Data(attr_type, id int64) io.ReaderAt

Retrieve the content of the attribute stream specified by id.

func (*MFT_ENTRY) DebugString

func (self *MFT_ENTRY) DebugString() string

func (*MFT_ENTRY) Dir

func (self *MFT_ENTRY) Dir() []*INDEX_RECORD_ENTRY

func (*MFT_ENTRY) DirNodes

func (self *MFT_ENTRY) DirNodes() []*INDEX_NODE_HEADER

func (*MFT_ENTRY) FileName

func (self *MFT_ENTRY) FileName() []*FILE_NAME

Extract the $FILE_NAME attribute from the MFT.

func (*MFT_ENTRY) IsDir

func (self *MFT_ENTRY) IsDir() bool

func (*MFT_ENTRY) MFTEntry

func (self *MFT_ENTRY) MFTEntry(id int64) (*MFT_ENTRY, error)

Convenience method used to extract another MFT entry from the same table used by the current entry.

func (*MFT_ENTRY) Offset

func (self *MFT_ENTRY) Offset() int64

func (*MFT_ENTRY) Open

func (self *MFT_ENTRY) Open(filename string) (*MFT_ENTRY, error)

Open the MFT entry specified by a path name. Walks all directory indexes in the path to find the right MFT entry.

func (*MFT_ENTRY) Reader

func (self *MFT_ENTRY) Reader() io.ReaderAt

func (*MFT_ENTRY) StandardInformation

func (self *MFT_ENTRY) StandardInformation() (
	*STANDARD_INFORMATION, error)

Extract the $STANDARD_INFORMATION attribute from the MFT.

type MapReader

type MapReader struct {
	// Very simple for now.
	Runs []*GenericRun
}

Stitch together several different readers mapped at different offsets. In NTFS, a file's data consists of multiple $DATA streams, each having the same id. These different streams are mapped at different runlist_vcn_start to runlist_vcn_end (VCN = Virtual Cluster Number: the cluster number within the file's data). This reader combines these different readers into a single continuous form.

func (*MapReader) ReadAt

func (self *MapReader) ReadAt(buf []byte, offset int64) (int, error)

type NTFSFileInformation

type NTFSFileInformation struct {
	FullPath  string
	MFTID     int64
	Size      int64
	Allocated bool
	IsDir     bool
	SI_Times  *TimeStamps
	Filenames []*FilenameInfo
}

func ModelMFTEntry

func ModelMFTEntry(mft_entry *MFT_ENTRY) (*NTFSFileInformation, error)

type NTFS_ATTRIBUTE

type NTFS_ATTRIBUTE struct {
	vtypes.Object
	// contains filtered or unexported fields
}

func (*NTFS_ATTRIBUTE) Data

func (self *NTFS_ATTRIBUTE) Data() io.ReaderAt

func (*NTFS_ATTRIBUTE) DebugString

func (self *NTFS_ATTRIBUTE) DebugString() string

func (*NTFS_ATTRIBUTE) Decode

func (self *NTFS_ATTRIBUTE) Decode() (vtypes.Object, error)

func (*NTFS_ATTRIBUTE) IsResident

func (self *NTFS_ATTRIBUTE) IsResident() bool

func (*NTFS_ATTRIBUTE) Name

func (self *NTFS_ATTRIBUTE) Name() string

func (*NTFS_ATTRIBUTE) RunList

func (self *NTFS_ATTRIBUTE) RunList() []Run

func (*NTFS_ATTRIBUTE) Size

func (self *NTFS_ATTRIBUTE) Size() int64

type NTFS_BOOT_SECTOR

type NTFS_BOOT_SECTOR struct {
	vtypes.Object
	// contains filtered or unexported fields
}

func NewBootRecord

func NewBootRecord(profile *vtypes.Profile, reader io.ReaderAt, offset int64) (
	*NTFS_BOOT_SECTOR, error)

NTFS Parsing starts with the boot record.

func (*NTFS_BOOT_SECTOR) BlockCount

func (self *NTFS_BOOT_SECTOR) BlockCount() int64

func (*NTFS_BOOT_SECTOR) ClusterSize

func (self *NTFS_BOOT_SECTOR) ClusterSize() int64

func (*NTFS_BOOT_SECTOR) MFT

func (self *NTFS_BOOT_SECTOR) MFT() (*MFT_ENTRY, error)

func (*NTFS_BOOT_SECTOR) RecordSize

func (self *NTFS_BOOT_SECTOR) RecordSize() int64

type PagedReader

type PagedReader struct {
	// contains filtered or unexported fields
}

func NewPagedReader

func NewPagedReader(reader io.ReaderAt, pagesize int64, cache_size int) (*PagedReader, error)

func (*PagedReader) ReadAt

func (self *PagedReader) ReadAt(buf []byte, offset int64) (int, error)

type ReaderRun

type ReaderRun struct {
	FileOffset       int64
	TargetOffset     int64
	Length           int64
	CompressedLength int64
}

func MakeReaderRuns

func MakeReaderRuns(runs []Run) []ReaderRun

Convert the NTFS relative runlist into an absolute run list.

func (*ReaderRun) Decompress

func (self *ReaderRun) Decompress(reader io.ReaderAt, cluster_size int64) ([]byte, error)

type Run

type Run struct {
	RelativeUrnOffset int64
	Length            int64
}

type RunReader

type RunReader struct {
	// contains filtered or unexported fields
}

An io.ReaderAt which works off runs.

func NewCompressedRunReader

func NewCompressedRunReader(runs []Run,
	attr *NTFS_ATTRIBUTE, compression_unit_size int64) *RunReader

func NewRunReader

func NewRunReader(runs []Run, attr *NTFS_ATTRIBUTE) *RunReader

func (*RunReader) Boot

func (self *RunReader) Boot() *NTFS_BOOT_SECTOR

Returns the boot sector.

func (*RunReader) ReadAt

func (self *RunReader) ReadAt(buf []byte, file_offset int64) (
	int, error)

type STANDARD_INDEX_HEADER

type STANDARD_INDEX_HEADER struct {
	vtypes.Object
	// contains filtered or unexported fields
}

func NewSTANDARD_INDEX_HEADER

func NewSTANDARD_INDEX_HEADER(attr *NTFS_ATTRIBUTE, offset int64, length int64) (
	*STANDARD_INDEX_HEADER, error)

The STANDARD_INDEX_HEADER has a second layer of fixups.

type STANDARD_INFORMATION

type STANDARD_INFORMATION struct {
	vtypes.Object
}

type TimeStamps

type TimeStamps struct {
	CreateTime       time.Time
	FileModifiedTime time.Time
	MFTModifiedTime  time.Time
	AccessedTime     time.Time
}

type WinFileTimeParser

type WinFileTimeParser struct {
	*vtypes.IntParser
}

func (*WinFileTimeParser) AsDate

func (self *WinFileTimeParser) AsDate(offset int64, reader io.ReaderAt) time.Time

func (*WinFileTimeParser) AsInteger

func (self *WinFileTimeParser) AsInteger(offset int64, reader io.ReaderAt) int64

func (*WinFileTimeParser) AsString

func (self *WinFileTimeParser) AsString(offset int64, reader io.ReaderAt) string

func (WinFileTimeParser) Copy

func (self WinFileTimeParser) Copy() vtypes.Parser

func (*WinFileTimeParser) DebugString

func (self *WinFileTimeParser) DebugString(offset int64, reader io.ReaderAt) string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL