2017-07-19 16:31:08 +01:00
|
|
|
|
// /***************************************************************************
|
2016-07-28 18:13:49 +01:00
|
|
|
|
// The Disc Image Chef
|
|
|
|
|
|
// ----------------------------------------------------------------------------
|
|
|
|
|
|
//
|
|
|
|
|
|
// Filename : NTFS.cs
|
|
|
|
|
|
// Author(s) : Natalia Portillo <claunia@claunia.com>
|
|
|
|
|
|
//
|
|
|
|
|
|
// Component : Microsoft NT File System plugin.
|
|
|
|
|
|
//
|
|
|
|
|
|
// --[ Description ] ----------------------------------------------------------
|
|
|
|
|
|
//
|
|
|
|
|
|
// Identifies the Microsoft NT File System and shows information.
|
|
|
|
|
|
//
|
|
|
|
|
|
// --[ License ] --------------------------------------------------------------
|
|
|
|
|
|
//
|
|
|
|
|
|
// This library is free software; you can redistribute it and/or modify
|
|
|
|
|
|
// it under the terms of the GNU Lesser General Public License as
|
|
|
|
|
|
// published by the Free Software Foundation; either version 2.1 of the
|
|
|
|
|
|
// License, or (at your option) any later version.
|
|
|
|
|
|
//
|
|
|
|
|
|
// This library is distributed in the hope that it will be useful, but
|
|
|
|
|
|
// WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
|
// Lesser General Public License for more details.
|
|
|
|
|
|
//
|
|
|
|
|
|
// You should have received a copy of the GNU Lesser General Public
|
|
|
|
|
|
// License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
//
|
|
|
|
|
|
// ----------------------------------------------------------------------------
|
2018-12-29 17:34:38 +00:00
|
|
|
|
// Copyright © 2011-2019 Natalia Portillo
|
2016-07-28 18:13:49 +01:00
|
|
|
|
// ****************************************************************************/
|
2014-04-17 19:58:14 +00:00
|
|
|
|
|
2011-03-29 02:56:27 +00:00
|
|
|
|
using System;
|
2017-07-10 22:04:51 +01:00
|
|
|
|
using System.Runtime.InteropServices;
|
2017-07-19 16:31:08 +01:00
|
|
|
|
using System.Text;
|
2017-07-10 22:04:51 +01:00
|
|
|
|
using DiscImageChef.Checksums;
|
2017-07-19 16:31:08 +01:00
|
|
|
|
using DiscImageChef.CommonTypes;
|
2018-06-25 19:08:16 +01:00
|
|
|
|
using DiscImageChef.CommonTypes.Interfaces;
|
2017-12-21 14:30:38 +00:00
|
|
|
|
using Schemas;
|
2019-03-01 07:35:22 +00:00
|
|
|
|
using Marshal = DiscImageChef.Helpers.Marshal;
|
2017-07-19 16:31:08 +01:00
|
|
|
|
|
2016-07-21 16:15:39 +01:00
|
|
|
|
namespace DiscImageChef.Filesystems
|
2011-03-29 02:56:27 +00:00
|
|
|
|
{
|
2017-07-19 16:31:08 +01:00
|
|
|
|
// Information from Inside Windows NT
|
2017-12-26 06:05:12 +00:00
|
|
|
|
public class NTFS : IFilesystem
|
2014-04-14 02:29:13 +00:00
|
|
|
|
{
|
2017-12-26 08:01:40 +00:00
|
|
|
|
public FileSystemType XmlFsType { get; private set; }
|
2018-02-03 17:39:49 +00:00
|
|
|
|
public Encoding Encoding { get; private set; }
|
|
|
|
|
|
public string Name => "New Technology File System (NTFS)";
|
|
|
|
|
|
public Guid Id => new Guid("33513B2C-1e6d-4d21-a660-0bbc789c3871");
|
2018-08-29 22:15:43 +01:00
|
|
|
|
public string Author => "Natalia Portillo";
|
2016-07-27 13:32:45 +01:00
|
|
|
|
|
2017-12-26 07:28:40 +00:00
|
|
|
|
public bool Identify(IMediaImage imagePlugin, Partition partition)
|
2014-04-14 02:29:13 +00:00
|
|
|
|
{
|
2017-12-20 17:26:28 +00:00
|
|
|
|
if(2 + partition.Start >= partition.End) return false;
|
2014-07-09 19:49:14 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
byte[] eigthBytes = new byte[8];
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
byte[] ntfsBpb = imagePlugin.ReadSector(0 + partition.Start);
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
Array.Copy(ntfsBpb, 0x003, eigthBytes, 0, 8);
|
|
|
|
|
|
string oemName = StringHandlers.CToString(eigthBytes);
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
if(oemName != "NTFS ") return false;
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2018-02-03 17:39:49 +00:00
|
|
|
|
byte fatsNo = ntfsBpb[0x010];
|
|
|
|
|
|
ushort spFat = BitConverter.ToUInt16(ntfsBpb, 0x016);
|
|
|
|
|
|
ushort signature = BitConverter.ToUInt16(ntfsBpb, 0x1FE);
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
if(fatsNo != 0) return false;
|
2018-02-03 17:39:49 +00:00
|
|
|
|
if(spFat != 0) return false;
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2016-02-05 00:01:09 +00:00
|
|
|
|
return signature == 0xAA55;
|
2014-04-14 02:29:13 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-12-26 08:01:40 +00:00
|
|
|
|
public void GetInformation(IMediaImage imagePlugin, Partition partition, out string information,
|
2018-02-03 17:39:49 +00:00
|
|
|
|
Encoding encoding)
|
2014-04-14 02:29:13 +00:00
|
|
|
|
{
|
2018-02-03 17:39:49 +00:00
|
|
|
|
Encoding = Encoding.Unicode;
|
2014-04-14 02:29:13 +00:00
|
|
|
|
information = "";
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2014-04-14 02:29:13 +00:00
|
|
|
|
StringBuilder sb = new StringBuilder();
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2017-12-22 08:43:22 +00:00
|
|
|
|
byte[] ntfsBpb = imagePlugin.ReadSector(0 + partition.Start);
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2019-03-01 07:35:22 +00:00
|
|
|
|
NtfsBootBlock ntfsBb = Marshal.ByteArrayToStructureLittleEndian<NtfsBootBlock>(ntfsBpb);
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2018-06-22 08:08:38 +01:00
|
|
|
|
sb.AppendFormat("{0} bytes per sector", ntfsBb.bps).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("{0} sectors per cluster ({1} bytes)", ntfsBb.spc, ntfsBb.spc * ntfsBb.bps).AppendLine();
|
2017-12-21 16:07:20 +00:00
|
|
|
|
// sb.AppendFormat("{0} reserved sectors", ntfs_bb.rsectors).AppendLine();
|
|
|
|
|
|
// sb.AppendFormat("{0} FATs", ntfs_bb.fats_no).AppendLine();
|
|
|
|
|
|
// sb.AppendFormat("{0} entries in the root folder", ntfs_bb.root_ent).AppendLine();
|
|
|
|
|
|
// sb.AppendFormat("{0} sectors on volume (small)", ntfs_bb.sml_sectors).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("Media descriptor: 0x{0:X2}", ntfsBb.media).AppendLine();
|
2017-12-21 16:07:20 +00:00
|
|
|
|
// sb.AppendFormat("{0} sectors per FAT", ntfs_bb.spfat).AppendLine();
|
2018-06-22 08:08:38 +01:00
|
|
|
|
sb.AppendFormat("{0} sectors per track", ntfsBb.sptrk).AppendLine();
|
|
|
|
|
|
sb.AppendFormat("{0} heads", ntfsBb.heads).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("{0} hidden sectors before filesystem", ntfsBb.hsectors).AppendLine();
|
2017-12-21 16:07:20 +00:00
|
|
|
|
// sb.AppendFormat("{0} sectors on volume (big)", ntfs_bb.big_sectors).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("BIOS drive number: 0x{0:X2}", ntfsBb.drive_no).AppendLine();
|
2017-12-21 16:07:20 +00:00
|
|
|
|
// sb.AppendFormat("NT flags: 0x{0:X2}", ntfs_bb.nt_flags).AppendLine();
|
|
|
|
|
|
// sb.AppendFormat("Signature 1: 0x{0:X2}", ntfs_bb.signature1).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("{0} sectors on volume ({1} bytes)", ntfsBb.sectors, ntfsBb.sectors * ntfsBb.bps)
|
2017-12-19 20:33:03 +00:00
|
|
|
|
.AppendLine();
|
2018-06-22 08:08:38 +01:00
|
|
|
|
sb.AppendFormat("Cluster where $MFT starts: {0}", ntfsBb.mft_lsn).AppendLine();
|
2017-12-22 08:43:22 +00:00
|
|
|
|
sb.AppendFormat("Cluster where $MFTMirr starts: {0}", ntfsBb.mftmirror_lsn).AppendLine();
|
|
|
|
|
|
|
|
|
|
|
|
if(ntfsBb.mft_rc_clusters > 0)
|
|
|
|
|
|
sb.AppendFormat("{0} clusters per MFT record ({1} bytes)", ntfsBb.mft_rc_clusters,
|
|
|
|
|
|
ntfsBb.mft_rc_clusters * ntfsBb.bps * ntfsBb.spc).AppendLine();
|
|
|
|
|
|
else sb.AppendFormat("{0} bytes per MFT record", 1 << -ntfsBb.mft_rc_clusters).AppendLine();
|
|
|
|
|
|
if(ntfsBb.index_blk_cts > 0)
|
|
|
|
|
|
sb.AppendFormat("{0} clusters per Index block ({1} bytes)", ntfsBb.index_blk_cts,
|
|
|
|
|
|
ntfsBb.index_blk_cts * ntfsBb.bps * ntfsBb.spc).AppendLine();
|
|
|
|
|
|
else sb.AppendFormat("{0} bytes per Index block", 1 << -ntfsBb.index_blk_cts).AppendLine();
|
|
|
|
|
|
|
|
|
|
|
|
sb.AppendFormat("Volume serial number: {0:X16}", ntfsBb.serial_no).AppendLine();
|
2017-12-21 16:07:20 +00:00
|
|
|
|
// sb.AppendFormat("Signature 2: 0x{0:X4}", ntfs_bb.signature2).AppendLine();
|
2015-12-05 17:10:27 +00:00
|
|
|
|
|
2017-12-26 08:01:40 +00:00
|
|
|
|
XmlFsType = new FileSystemType();
|
2017-07-10 22:04:51 +01:00
|
|
|
|
|
2017-12-24 02:37:41 +00:00
|
|
|
|
if(ntfsBb.jump[0] == 0xEB && ntfsBb.jump[1] > 0x4E && ntfsBb.jump[1] < 0x80 && ntfsBb.signature2 == 0xAA55)
|
2017-07-10 22:04:51 +01:00
|
|
|
|
{
|
2018-02-03 19:11:41 +00:00
|
|
|
|
XmlFsType.Bootable = true;
|
2018-06-22 08:08:38 +01:00
|
|
|
|
string bootChk = Sha1Context.Data(ntfsBb.boot_code, out _);
|
2017-07-10 22:04:51 +01:00
|
|
|
|
sb.AppendLine("Volume is bootable");
|
|
|
|
|
|
sb.AppendFormat("Boot code's SHA1: {0}", bootChk).AppendLine();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2019-04-23 01:38:33 +01:00
|
|
|
|
XmlFsType.ClusterSize = (uint)(ntfsBb.spc * ntfsBb.bps);
|
|
|
|
|
|
XmlFsType.Clusters = (ulong)(ntfsBb.sectors / ntfsBb.spc);
|
2017-12-26 08:01:40 +00:00
|
|
|
|
XmlFsType.VolumeSerial = $"{ntfsBb.serial_no:X16}";
|
2018-02-03 17:39:49 +00:00
|
|
|
|
XmlFsType.Type = "NTFS";
|
2016-04-19 02:11:47 +01:00
|
|
|
|
|
2014-04-14 02:29:13 +00:00
|
|
|
|
information = sb.ToString();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>
|
2017-12-24 02:37:41 +00:00
|
|
|
|
/// NTFS $BOOT
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// </summary>
|
2017-07-10 22:04:51 +01:00
|
|
|
|
[StructLayout(LayoutKind.Sequential, Pack = 1)]
|
2017-12-22 08:43:22 +00:00
|
|
|
|
struct NtfsBootBlock
|
2014-04-14 02:29:13 +00:00
|
|
|
|
{
|
2015-12-06 07:18:36 +00:00
|
|
|
|
// Start of BIOS Parameter Block
|
|
|
|
|
|
/// <summary>0x000, Jump to boot code</summary>
|
2018-02-03 17:39:49 +00:00
|
|
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 3)]
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte[] jump;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x003, OEM Name, 8 bytes, space-padded, must be "NTFS "</summary>
|
2018-02-03 17:39:49 +00:00
|
|
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte[] oem_name;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x00B, Bytes per sector</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort bps;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x00D, Sectors per cluster</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte spc;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x00E, Reserved sectors, seems 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort rsectors;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x010, Number of FATs... obviously, 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte fats_no;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x011, Number of entries on root directory... 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort root_ent;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x013, Sectors in volume... 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort sml_sectors;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x015, Media descriptor</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte media;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x016, Sectors per FAT... 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort spfat;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x018, Sectors per track, required to boot</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort sptrk;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x01A, Heads... required to boot</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort heads;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x01C, Hidden sectors before BPB</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly uint hsectors;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x020, Sectors in volume if > 65535... 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly uint big_sectors;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x024, Drive number</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte drive_no;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x025, 0</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte nt_flags;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x026, EPB signature, 0x80</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte signature1;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x027, Alignment</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte dummy;
|
2014-04-14 02:29:13 +00:00
|
|
|
|
// End of BIOS Parameter Block
|
2015-12-06 07:18:36 +00:00
|
|
|
|
|
|
|
|
|
|
// Start of NTFS real superblock
|
|
|
|
|
|
/// <summary>0x028, Sectors on volume</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly long sectors;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x030, LSN of $MFT</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly long mft_lsn;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x038, LSN of $MFTMirror</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly long mftmirror_lsn;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x040, Clusters per MFT record</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly sbyte mft_rc_clusters;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x041, Alignment</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte dummy2;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x042, Alignment</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort dummy3;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x044, Clusters per index block</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly sbyte index_blk_cts;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x045, Alignment</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte dummy4;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x046, Alignment</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort dummy5;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x048, Volume serial number</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ulong serial_no;
|
2017-07-10 22:04:51 +01:00
|
|
|
|
/// <summary>Boot code.</summary>
|
2018-02-03 17:39:49 +00:00
|
|
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 430)]
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly byte[] boot_code;
|
2015-12-06 07:18:36 +00:00
|
|
|
|
/// <summary>0x1FE, 0xAA55</summary>
|
2019-04-23 01:38:33 +01:00
|
|
|
|
public readonly ushort signature2;
|
2014-04-14 02:29:13 +00:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2017-12-19 20:33:03 +00:00
|
|
|
|
}
|
