2016年10月11日 星期二
NTFS $Secure parsing
藍色代表 MFT Entry Header
綠色代表 Attribute Header
粉紅色則是 Attribute Name or Attribute 內容
底下是人工 parsing 的結果
[Entry Header]
Length 0x02F8
The Entry End is 0xFFFFFF (為了 8 的倍數,後面補了 0x00000000,故長度是 0x02F8)
The next attribute id is 0x000F
0x10 -- 0x0000
0x30 -- 0x0007
0x80 -- 0x0008
0x90 -- 0x000B
0x90 -- 0x000E
0xA0 -- 0x0009
0xA0 -- 0x000C
0xB0 -- 0x000A
0xB0 -- 0x000D
[0x10] -- $STANDARD_INFORMATION
The file creation time is "1601-01-01, 00:00 UTC" + (0x01D21B378809B277 / pow(10,7)) (seconds)
[0x30] -- $FILE_NAME
The name of this entry is $Secure, it has 7 characters, it's lenth is 2 x 7 = 14.
[0x80] -- $DATA, non-resident, named
starting VCN 0x00
last VCN 0x40
attribute name is $SDS, it has 4 characters (Name length on offset 0x09, one byte).
offset to the Data Runs 0x48
Data Runs
11 41 2D 00 00 00 00 00
11 41 2D - 00 00 00 00 00 (group)
first one is header, it means one byte length, one byte offset.
length 0x41
offset 0x2D
Move to next group
11 41 2D 00 00 00 00 00 -> 11 41 2D - 00 00 00 00 00
Because header is 0x00, it only has one data run.
[0x90] -- $INDEX_ROOT, resident, named
attribute name is $SDH, it has 4 characters (Name length on offset 0x09, one byte).
[0x90] -- $INDEX_ROOT, resident, named
attribute name is $SII, it has 4 characters (Name length on offset 0x09, one byte).
[0xA0] -- $INDEX_ALLOCATION, non-resident, named
attribute name is $SDH, it has 4 characters (Name length on offset 0x09, one byte).
[0xA0] -- $INDEX_ALLOCATION, non-resident, named
attribute name is $SII, it has 4 characters (Name length on offset 0x09, one byte).
[0xB0] -- $BITMAP, resident, named
attribute name is $SDH, it has 4 characters (Name length on offset 0x09, one byte).
[0xB0] -- $BITMAP, resident, named
attribute name is $SII, it has 4 characters (Name length on offset 0x09, one byte).
沒有留言:
張貼留言