// /*************************************************************************** // The Disc Image Chef // ---------------------------------------------------------------------------- // // Filename : NTFS.cs // Author(s) : Natalia Portillo // // Component : Microsoft NT File System plugin. // // --[ Description ] ---------------------------------------------------------- // // Identifies the Microsoft NT File System and shows information. // // --[ License ] -------------------------------------------------------------- // // This library is free software; you can redistribute it and/or modify // it under the terms of the GNU Lesser General Public License as // published by the Free Software Foundation; either version 2.1 of the // License, or (at your option) any later version. // // This library is distributed in the hope that it will be useful, but // WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU // Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public // License along with this library; if not, see . // // ---------------------------------------------------------------------------- // Copyright © 2011-2018 Natalia Portillo // ****************************************************************************/ using System; using System.Runtime.InteropServices; using System.Text; using DiscImageChef.Checksums; using DiscImageChef.CommonTypes; using DiscImageChef.CommonTypes.Interfaces; using Schemas; namespace DiscImageChef.Filesystems { // Information from Inside Windows NT public class NTFS : IFilesystem { public FileSystemType XmlFsType { get; private set; } public Encoding Encoding { get; private set; } public string Name => "New Technology File System (NTFS)"; public Guid Id => new Guid("33513B2C-1e6d-4d21-a660-0bbc789c3871"); public string Author => "Natalia Portillo"; public bool Identify(IMediaImage imagePlugin, Partition partition) { if(2 + partition.Start >= partition.End) return false; byte[] eigthBytes = new byte[8]; byte[] ntfsBpb = imagePlugin.ReadSector(0 + partition.Start); Array.Copy(ntfsBpb, 0x003, eigthBytes, 0, 8); string oemName = StringHandlers.CToString(eigthBytes); if(oemName != "NTFS ") return false; byte fatsNo = ntfsBpb[0x010]; ushort spFat = BitConverter.ToUInt16(ntfsBpb, 0x016); ushort signature = BitConverter.ToUInt16(ntfsBpb, 0x1FE); if(fatsNo != 0) return false; if(spFat != 0) return false; return signature == 0xAA55; } public void GetInformation(IMediaImage imagePlugin, Partition partition, out string information, Encoding encoding) { Encoding = Encoding.Unicode; information = ""; StringBuilder sb = new StringBuilder(); byte[] ntfsBpb = imagePlugin.ReadSector(0 + partition.Start); IntPtr bpbPtr = Marshal.AllocHGlobal(512); Marshal.Copy(ntfsBpb, 0, bpbPtr, 512); NtfsBootBlock ntfsBb = (NtfsBootBlock)Marshal.PtrToStructure(bpbPtr, typeof(NtfsBootBlock)); Marshal.FreeHGlobal(bpbPtr); sb.AppendFormat("{0} bytes per sector", ntfsBb.bps).AppendLine(); sb.AppendFormat("{0} sectors per cluster ({1} bytes)", ntfsBb.spc, ntfsBb.spc * ntfsBb.bps).AppendLine(); // sb.AppendFormat("{0} reserved sectors", ntfs_bb.rsectors).AppendLine(); // sb.AppendFormat("{0} FATs", ntfs_bb.fats_no).AppendLine(); // sb.AppendFormat("{0} entries in the root folder", ntfs_bb.root_ent).AppendLine(); // sb.AppendFormat("{0} sectors on volume (small)", ntfs_bb.sml_sectors).AppendLine(); sb.AppendFormat("Media descriptor: 0x{0:X2}", ntfsBb.media).AppendLine(); // sb.AppendFormat("{0} sectors per FAT", ntfs_bb.spfat).AppendLine(); sb.AppendFormat("{0} sectors per track", ntfsBb.sptrk).AppendLine(); sb.AppendFormat("{0} heads", ntfsBb.heads).AppendLine(); sb.AppendFormat("{0} hidden sectors before filesystem", ntfsBb.hsectors).AppendLine(); // sb.AppendFormat("{0} sectors on volume (big)", ntfs_bb.big_sectors).AppendLine(); sb.AppendFormat("BIOS drive number: 0x{0:X2}", ntfsBb.drive_no).AppendLine(); // sb.AppendFormat("NT flags: 0x{0:X2}", ntfs_bb.nt_flags).AppendLine(); // sb.AppendFormat("Signature 1: 0x{0:X2}", ntfs_bb.signature1).AppendLine(); sb.AppendFormat("{0} sectors on volume ({1} bytes)", ntfsBb.sectors, ntfsBb.sectors * ntfsBb.bps) .AppendLine(); sb.AppendFormat("Cluster where $MFT starts: {0}", ntfsBb.mft_lsn).AppendLine(); sb.AppendFormat("Cluster where $MFTMirr starts: {0}", ntfsBb.mftmirror_lsn).AppendLine(); if(ntfsBb.mft_rc_clusters > 0) sb.AppendFormat("{0} clusters per MFT record ({1} bytes)", ntfsBb.mft_rc_clusters, ntfsBb.mft_rc_clusters * ntfsBb.bps * ntfsBb.spc).AppendLine(); else sb.AppendFormat("{0} bytes per MFT record", 1 << -ntfsBb.mft_rc_clusters).AppendLine(); if(ntfsBb.index_blk_cts > 0) sb.AppendFormat("{0} clusters per Index block ({1} bytes)", ntfsBb.index_blk_cts, ntfsBb.index_blk_cts * ntfsBb.bps * ntfsBb.spc).AppendLine(); else sb.AppendFormat("{0} bytes per Index block", 1 << -ntfsBb.index_blk_cts).AppendLine(); sb.AppendFormat("Volume serial number: {0:X16}", ntfsBb.serial_no).AppendLine(); // sb.AppendFormat("Signature 2: 0x{0:X4}", ntfs_bb.signature2).AppendLine(); XmlFsType = new FileSystemType(); if(ntfsBb.jump[0] == 0xEB && ntfsBb.jump[1] > 0x4E && ntfsBb.jump[1] < 0x80 && ntfsBb.signature2 == 0xAA55) { XmlFsType.Bootable = true; string bootChk = Sha1Context.Data(ntfsBb.boot_code, out _); sb.AppendLine("Volume is bootable"); sb.AppendFormat("Boot code's SHA1: {0}", bootChk).AppendLine(); } XmlFsType.ClusterSize = ntfsBb.spc * ntfsBb.bps; XmlFsType.Clusters = ntfsBb.sectors / ntfsBb.spc; XmlFsType.VolumeSerial = $"{ntfsBb.serial_no:X16}"; XmlFsType.Type = "NTFS"; information = sb.ToString(); } /// /// NTFS $BOOT /// [StructLayout(LayoutKind.Sequential, Pack = 1)] struct NtfsBootBlock { // Start of BIOS Parameter Block /// 0x000, Jump to boot code [MarshalAs(UnmanagedType.ByValArray, SizeConst = 3)] public byte[] jump; /// 0x003, OEM Name, 8 bytes, space-padded, must be "NTFS " [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public byte[] oem_name; /// 0x00B, Bytes per sector public ushort bps; /// 0x00D, Sectors per cluster public byte spc; /// 0x00E, Reserved sectors, seems 0 public ushort rsectors; /// 0x010, Number of FATs... obviously, 0 public byte fats_no; /// 0x011, Number of entries on root directory... 0 public ushort root_ent; /// 0x013, Sectors in volume... 0 public ushort sml_sectors; /// 0x015, Media descriptor public byte media; /// 0x016, Sectors per FAT... 0 public ushort spfat; /// 0x018, Sectors per track, required to boot public ushort sptrk; /// 0x01A, Heads... required to boot public ushort heads; /// 0x01C, Hidden sectors before BPB public uint hsectors; /// 0x020, Sectors in volume if > 65535... 0 public uint big_sectors; /// 0x024, Drive number public byte drive_no; /// 0x025, 0 public byte nt_flags; /// 0x026, EPB signature, 0x80 public byte signature1; /// 0x027, Alignment public byte dummy; // End of BIOS Parameter Block // Start of NTFS real superblock /// 0x028, Sectors on volume public long sectors; /// 0x030, LSN of $MFT public long mft_lsn; /// 0x038, LSN of $MFTMirror public long mftmirror_lsn; /// 0x040, Clusters per MFT record public sbyte mft_rc_clusters; /// 0x041, Alignment public byte dummy2; /// 0x042, Alignment public ushort dummy3; /// 0x044, Clusters per index block public sbyte index_blk_cts; /// 0x045, Alignment public byte dummy4; /// 0x046, Alignment public ushort dummy5; /// 0x048, Volume serial number public ulong serial_no; /// Boot code. [MarshalAs(UnmanagedType.ByValArray, SizeConst = 430)] public byte[] boot_code; /// 0x1FE, 0xAA55 public ushort signature2; } } }