/**
* ntfsinfo - Part of the Linux-NTFS project.
*
* Copyright (c) 2002-2004 Matthew J. Fanto
* Copyright (c) 2002-2006 Anton Altaparmakov
* Copyright (c) 2002-2005 Richard Russon
* Copyright (c) 2003-2006 Szabolcs Szakacsits
* Copyright (c) 2004-2005 Yuval Fledel
* Copyright (c) 2004-2007 Yura Pakhuchiy
* Copyright (c) 2005 Cristian Klein
*
* This utility will dump a file's attributes.
*
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (in the main directory of the Linux-NTFS
* distribution in the file COPYING); if not, write to the Free Software
* Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
* TODO LIST:
* - Better error checking. (focus on ntfs_dump_volume)
* - Comment things better.
* - More things at verbose mode.
* - Dump ACLs when security_id exists (NTFS 3+ only).
* - Clean ups.
* - Internationalization.
* - Add more Indexed Attr Types.
* - Make formatting look more like www.flatcap.org/ntfs/info
*
* Still not dumping certain attributes. Need to find the best
* way to output some of these attributes.
*
* Still need to do:
* $REPARSE_POINT/$SYMBOLIC_LINK
* $LOGGED_UTILITY_STREAM
*/
#include "config.h"
#ifdef HAVE_STDIO_H
#include <stdio.h>
#endif
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
#ifdef HAVE_STRING_H
#include <string.h>
#endif
#ifdef HAVE_TIME_H
#include <time.h>
#endif
#ifdef HAVE_GETOPT_H
#include <getopt.h>
#endif
#ifdef HAVE_ERRNO_H
#include <errno.h>
#endif
#include "compat.h"
#include "types.h"
#include "mft.h"
#include "attrib.h"
#include "layout.h"
#include "inode.h"
#include "index.h"
#include "utils.h"
#include "security.h"
#include "mst.h"
#include "dir.h"
#include "ntfstime.h"
#include "version.h"
#include "support.h"
static struct options {
} opts;
/**
* version - Print version information about the program
*
* Print a copyright statement and a brief description of the program.
*
* Return: none
*/
static void version(void)
{
printf("\n%s v%s (libntfs %s) - Display information about an NTFS "
printf("Copyright (c)\n");
printf(" 2002-2004 Matthew J. Fanto\n");
printf(" 2002-2006 Anton Altaparmakov\n");
printf(" 2002-2005 Richard Russon\n");
printf(" 2003-2006 Szabolcs Szakacsits\n");
printf(" 2003 Leonard NorrgÄrd\n");
printf(" 2004-2005 Yuval Fledel\n");
printf(" 2004-2007 Yura Pakhuchiy\n");
}
/**
* usage - Print a list of the parameters to the program
*
* Print a list of the parameters and options for the program.
*
* Return: none
*/
static void usage(void)
{
printf("\nUsage: %s [options] device\n"
" -i, --inode NUM Display information about this inode\n"
" -F, --file FILE Display information about this file (absolute path)\n"
" -m, --mft Dump information about the volume\n"
" -t, --notime Don't report timestamps\n"
"\n"
" -f, --force Use less caution\n"
" -q, --quiet Less output\n"
" -v, --verbose More output\n"
" -V, --version Display version information\n"
" -h, --help Display this help\n"
#ifdef DEBUG
" -d, --debug Show debug information\n"
#endif
"\n",
}
/**
* parse_options - Read and validate the programs command line
*
* Read the command line, verify the syntax and parse the options.
* This function is very long, but quite simple.
*
* Return: 1 Success
* 0 Error, one or more problems
*/
{
#ifdef DEBUG
#endif
};
int c = -1;
int err = 0;
int ver = 0;
int help = 0;
int levels = 0;
opterr = 0; /* We'll handle the errors, thank you. */
switch (c) {
case 1:
else
err++;
break;
case 'd':
break;
case 'i':
err++;
}
break;
case 'F':
/* The inode can not be resolved here,
store the filename */
} else {
/* "-F" can't appear more than once */
err++;
}
break;
case 'f':
break;
case 'h':
help++;
break;
case 'q':
break;
case 't':
break;
case 'T':
/* 'T' is deprecated, notify */
ntfs_log_error("Option 'T' is deprecated, it was "
"replaced by 't'.\n");
err++;
break;
case 'v':
break;
case 'V':
ver++;
break;
case 'm':
break;
case '?':
if (optopt=='?') {
help++;
continue;
}
continue;
ntfs_log_error("Unknown option '%s'.\n",
err++;
break;
case ':':
ntfs_log_error("Option '%s' requires an "
err++;
break;
default:
ntfs_log_error("Unhandled option case: %d.\n", c);
err++;
break;
}
}
/* Make sure we're in sync with the log levels */
if (levels & NTFS_LOG_LEVEL_VERBOSE)
if (!(levels & NTFS_LOG_LEVEL_QUIET))
} else {
if (argc > 1)
ntfs_log_error("You must specify exactly one "
"device.\n");
err++;
}
if (argc > 1)
ntfs_log_error("You must specify an inode to "
"learn about.\n");
err++;
}
ntfs_log_error("You may not use --quiet and --verbose "
"at the same time.\n");
err++;
}
if (argc > 1)
ntfs_log_error("You may not specify --inode "
"and --file together.\n");
err++;
}
}
#ifdef DEBUG
ntfs_log_perror("Failed to freopen stderr to /dev/null");
exit(1);
}
#endif
if (ver)
version();
usage();
}
/* *************** utility functions ******************** */
/**
* ntfsinfo_time_to_str() -
* @sle_ntfs_clock: on disk time format in 100ns units since 1st jan 1601
* in little-endian format
*
* Return char* in a format 'Thu Jan 1 00:00:00 1970'.
* No need to free the returned memory.
*
* Example of usage:
* char *time_str = ntfsinfo_time_to_str(
* sle64_to_cpu(standard_attr->creation_time));
* printf("\tFile Creation Time:\t %s", time_str);
*/
{
return ctime(&unix_clock);
}
/**
* ntfs_attr_get_name()
* @attr: a valid attribute record
*
* return multi-byte string containing the attribute name if exist. the user
* is then responsible of freeing that memory.
* null if no name exists (attr->name_length==0). no memory allocated.
* null if cannot convert to multi-byte string. errno would contain the
* error id. no memory allocated in that case
*/
{
int mbs_attr_name_size;
/* Get name in unicode. */
/* Convert unicode to printable format. */
&mbs_attr_name, 0);
if (mbs_attr_name_size > 0)
return mbs_attr_name;
else
return NULL;
}
/* *************** functions for dumping global info ******************** */
/**
* ntfs_dump_volume - dump information about the volume
*/
{
printf("Volume Information \n");
printf("\tVolume Size in Clusters: %lld\n",
(long long)vol->nr_clusters);
printf("MFT Information \n");
printf("\tCurrent Position in First Data Zone: %lld\n",
(long long)vol->data1_zone_pos);
printf("\tCurrent Position in Second Data Zone: %lld\n",
(long long)vol->data2_zone_pos);
printf("\tLCN of Data Attribute for FILE_MFT: %lld\n",
printf("\tLCN of Data Attribute for File_MFTMirr: %lld\n",
(long long)vol->mftmirr_lcn);
printf("\tSize of Attribute Definition Table: %d\n",
(int)vol->attrdef_len);
printf("FILE_Bitmap Information \n");
printf("\tFILE_Bitmap MFT Record Number: %llu\n",
printf("\tLength of Attribute List: %u\n",
printf("\tNumber of Attached Extent Inodes: %d\n",
/* FIXME: need to add code for the union if nr_extens != 0, but
i dont know if it will ever != 0 with FILE_Bitmap */
printf("FILE_Bitmap Data Attribute Information\n");
printf("\tDecompressed Runlist: not done yet\n");
printf("\tBase Inode: %llu\n",
printf("\tAttribute Types: not done yet\n");
//printf("\tAttribute Name: %s\n", vol->lcnbmp_na->name);
printf("\tAttribute Name Length: %u\n",
printf("\tAttribute Allocated Size: %lld\n",
printf("\tAttribute Data Size: %lld\n",
printf("\tAttribute Initialized Size: %lld\n",
printf("\tAttribute Compressed Size: %lld\n",
printf("\tCompression Block Size: %u\n",
printf("\tCompression Block Size Bits: %u\n",
printf("\tCompression Block Clusters: %u\n",
//TODO: Still need to add a few more attributes
}
/**
* ntfs_dump_flags - Dump flags for STANDARD_INFORMATION and FILE_NAME.
* @type: dump flags for this attribute type
* @flags: flags for dumping
*/
{
if (flags & FILE_ATTR_READONLY) {
printf(" READONLY");
flags &= ~FILE_ATTR_READONLY;
}
if (flags & FILE_ATTR_HIDDEN) {
printf(" HIDDEN");
flags &= ~FILE_ATTR_HIDDEN;
}
if (flags & FILE_ATTR_SYSTEM) {
printf(" SYSTEM");
flags &= ~FILE_ATTR_SYSTEM;
}
if (flags & FILE_ATTR_DIRECTORY) {
printf(" DIRECTORY");
flags &= ~FILE_ATTR_DIRECTORY;
}
if (flags & FILE_ATTR_ARCHIVE) {
printf(" ARCHIVE");
flags &= ~FILE_ATTR_ARCHIVE;
}
if (flags & FILE_ATTR_DEVICE) {
printf(" DEVICE");
flags &= ~FILE_ATTR_DEVICE;
}
if (flags & FILE_ATTR_NORMAL) {
printf(" NORMAL");
flags &= ~FILE_ATTR_NORMAL;
}
if (flags & FILE_ATTR_TEMPORARY) {
printf(" TEMPORARY");
flags &= ~FILE_ATTR_TEMPORARY;
}
if (flags & FILE_ATTR_SPARSE_FILE) {
printf(" SPARSE_FILE");
}
if (flags & FILE_ATTR_REPARSE_POINT) {
printf(" REPARSE_POINT");
}
if (flags & FILE_ATTR_COMPRESSED) {
printf(" COMPRESSED");
}
if (flags & FILE_ATTR_OFFLINE) {
printf(" OFFLINE");
flags &= ~FILE_ATTR_OFFLINE;
}
if (flags & FILE_ATTR_NOT_CONTENT_INDEXED) {
printf(" NOT_CONTENT_INDEXED");
}
if (flags & FILE_ATTR_ENCRYPTED) {
printf(" ENCRYPTED");
flags &= ~FILE_ATTR_ENCRYPTED;
}
/* We know that FILE_ATTR_I30_INDEX_PRESENT only exists on $FILE_NAME,
and in case we are wrong, let it appear as UNKNOWN */
if (type == AT_FILE_NAME) {
if (flags & FILE_ATTR_I30_INDEX_PRESENT) {
printf(" I30_INDEX");
}
}
if (flags & FILE_ATTR_VIEW_INDEX_PRESENT) {
printf(" VIEW_INDEX");
}
if (flags)
/* Print all the flags in hex. */
}
/**
* ntfs_dump_namespace
*/
{
const char *mbs_file_type;
/* name space */
switch (file_name_type) {
case FILE_NAME_POSIX:
mbs_file_type = "POSIX";
break;
case FILE_NAME_WIN32:
mbs_file_type = "Win32";
break;
case FILE_NAME_DOS:
mbs_file_type = "DOS";
break;
case FILE_NAME_WIN32_AND_DOS:
mbs_file_type = "Win32 & DOS";
break;
default:
mbs_file_type = "(unknown)";
}
}
/* *************** functions for dumping attributes ******************** */
/**
* ntfs_dump_standard_information
*/
{
/* time conversion stuff */
}
if (value_length == 48) {
/* Only 12 reserved bytes here */
} else if (value_length == 72) {
printf("\tMaximum versions:\t %u \n", (unsigned int)
printf("\tVersion number:\t\t %u \n", (unsigned int)
printf("\tClass ID:\t\t %u \n",
printf("\tUser ID:\t\t %u (0x%x)\n",
printf("\tSecurity ID:\t\t %u (0x%x)\n",
printf("\tQuota charged:\t\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
printf("\tUpdate Sequence Number:\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
} else {
printf("\tSize of STANDARD_INFORMATION is %u (0x%x). It "
"should be either 72 or 48, something is "
"wrong...\n", (unsigned int)value_length,
(unsigned)value_length);
}
}
{
int i;
}
}
/**
* ntfs_dump_attr_list()
*/
{
s64 l;
return;
if (!l) {
ntfs_log_perror("ntfs_get_attribute_value_length failed");
return;
}
value = ntfs_malloc(l);
if (!value)
return;
if (!l) {
ntfs_log_perror("ntfs_get_attribute_value failed");
return;
}
printf("\tDumping attribute list:");
printf("\n");
printf("\t\tAttribute type:\t0x%x\n",
printf("\t\tRecord length:\t%u (0x%x)\n",
printf("\t\tName length:\t%u (0x%x)\n",
(unsigned)entry->name_length,
(unsigned)entry->name_length);
printf("\t\tName offset:\t%u (0x%x)\n",
(unsigned)entry->name_offset,
(unsigned)entry->name_offset);
printf("\t\tStarting VCN:\t%lld (0x%llx)\n",
(unsigned long long)
printf("\t\tMFT reference:\t%lld (0x%llx)\n",
(unsigned long long)
(unsigned long long)
printf("\t\tInstance:\t%u (0x%x)\n",
printf("\t\tName:\t\t");
if (entry->name_length) {
int name_size;
if (name_size > 0) {
} else
ntfs_log_perror("ntfs_ucstombs failed");
} else
printf("unnamed\n");
printf("\t\tPadding:\t");
printf("\n");
}
printf("\tEnd of attribute list reached.\n");
}
/**
* ntfs_dump_filename()
*/
{
/* time stuff */
char *ntfs_time_str;
}
/* other basic stuff about the file */
(unsigned long long)
(unsigned long long)
(unsigned)file_name_attr->file_name_length,
(unsigned)file_name_attr->file_name_length);
else if (file_name_attr->u.reparse_point_tag) {
(unsigned)
if (file_name_attr->u.s.reserved)
(unsigned)
(unsigned)
}
/* The filename. */
if (file_name_attr->file_name_length > 0) {
/* but first we need to convert the little endian unicode string
into a printable format */
int mbs_file_name_size;
if (mbs_file_name_size>0) {
} else {
/* an error occurred, errno holds the reason - notify the user */
ntfs_log_perror("ntfsinfo error: could not parse file name");
}
} else {
}
}
/**
* ntfs_dump_attr_file_name()
*/
{
}
/**
* ntfs_dump_object_id
*
* dump the $OBJECT_ID attribute - not present on all systems
*/
{
/* Object ID is mandatory. */
/* Dump Birth Volume ID. */
&obj_id_attr->u.s.birth_volume_id)) {
} else
printf("\tBirth Volume ID:\t missing\n");
/* Dumping Birth Object ID */
&obj_id_attr->u.s.birth_object_id)) {
} else
printf("\tBirth Object ID:\t missing\n");
/* Dumping Domain_id - reserved for now */
&obj_id_attr->u.s.domain_id)) {
} else
printf("\tDomain ID:\t\t missing\n");
} else
printf("\t$OBJECT_ID not present. Only NTFS versions > 3.0\n"
"\thave $OBJECT_ID. Your version of NTFS is %d.\n",
}
/**
* ntfs_dump_acl
*
* given an acl, print it in a beautiful & lovely way.
*/
{
unsigned int i;
/*
* Do not recalculate le16_to_cpu every iteration (minor speedup on
* big-endian machines.
*/
/* initialize 'ace' to the first ace (if any) */
/* iterate through ACE's */
for (i = 1; i <= ace_count; i++) {
const char *ace_type;
char *sid;
/* set ace_type. */
case ACCESS_ALLOWED_ACE_TYPE:
ace_type = "allow";
break;
case ACCESS_DENIED_ACE_TYPE:
ace_type = "deny";
break;
case SYSTEM_AUDIT_ACE_TYPE:
ace_type = "audit";
break;
default:
ace_type = "unknown";
break;
}
/* get a SID string */
/* proceed to next ACE */
}
}
const char *indent)
{
char *sid;
/* TODO: parse the flags */
return;
}
} else
} else
printf("defaulted");
}
printf("\n");
} else {
printf("missing\n");
}
printf("defaulted");
}
printf("\n");
} else {
printf("missing\n");
}
}
/**
* ntfs_dump_security_descriptor()
*
* dump the security information about the file
*/
{
if (attr->non_resident) {
/* FIXME: We don't handle fragmented mapping pairs case. */
if (rl) {
if (!sec_desc_attr) {
return;
}
if (bytes_read != data_size) {
ntfs_log_error("ntfsinfo error: could not "
"read security descriptor\n");
return;
}
} else {
ntfs_log_error("ntfsinfo error: could not "
"decompress runlist\n");
return;
}
} else {
}
if (attr->non_resident)
}
/**
* ntfs_dump_volume_name()
*
* dump the name of the volume the inode belongs to
*/
{
int mbs_vol_name_size;
/* calculate volume name position */
/* convert the name to current locale multibyte sequence */
sizeof(ntfschar), &mbs_vol_name, 0);
if (mbs_vol_name_size>0) {
/* output the converted name. */
} else
ntfs_log_perror("ntfsinfo error: could not parse "
"volume name");
} else
printf("\tVolume Name:\t\t unnamed\n");
}
/**
* ntfs_dump_volume_information()
*
* dump the information for the volume the inode belongs to
*
*/
{
printf("\tVolume Flags:\t\t ");
printf("DIRTY ");
printf("RESIZE_LOG ");
printf("UPG_ON_MOUNT ");
printf("MOUNTED_NT4 ");
printf("DEL_USN ");
printf("REPAIR_OBJID ");
printf("CHKDSK_UNDERWAY ");
printf("MOD_BY_CHKDSK ");
printf("(0x%04x)\n",
} else
printf("none set (0x0000)\n");
printf("\t\t\t\t Unknown Flags: 0x%04x\n",
(~VOLUME_FLAGS_MASK)));
}
{
ntfs_log_verbose("\n");
ntfs_log_verbose("\t\tHash:\t\t\t 0x%08x\n",
ntfs_log_verbose("\t\tSecurity id:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tOffset:\t\t\t %llu (0x%llx)\n",
ntfs_log_verbose("\t\tLength:\t\t\t %u (0x%x)\n",
sizeof(SECURITY_DESCRIPTOR_HEADER));
}
{
int name_len;
if (ni->nr_extents < 0)
if (FILE_Secure != inode)
return;
if (!name_len)
return;
return;
if (!sd) {
ntfs_log_perror("Failed to read $SDS attribute");
return;
}
/*
* FIXME: The right way is based on the indexes, so we couldn't
* miss real entries. For now, dump until it makes sense.
*/
}
}
{
switch (type) {
case AT_UNUSED: return "$UNUSED";
case AT_STANDARD_INFORMATION: return "$STANDARD_INFORMATION";
case AT_ATTRIBUTE_LIST: return "$ATTRIBUTE_LIST";
case AT_FILE_NAME: return "$FILE_NAME";
case AT_OBJECT_ID: return "$OBJECT_ID";
case AT_SECURITY_DESCRIPTOR: return "$SECURITY_DESCRIPTOR";
case AT_VOLUME_NAME: return "$VOLUME_NAME";
case AT_VOLUME_INFORMATION: return "$VOLUME_INFORMATION";
case AT_DATA: return "$DATA";
case AT_INDEX_ROOT: return "$INDEX_ROOT";
case AT_INDEX_ALLOCATION: return "$INDEX_ALLOCATION";
case AT_BITMAP: return "$BITMAP";
case AT_REPARSE_POINT: return "$REPARSE_POINT";
case AT_EA_INFORMATION: return "$EA_INFORMATION";
case AT_EA: return "$EA";
case AT_PROPERTY_SET: return "$PROPERTY_SET";
case AT_LOGGED_UTILITY_STREAM: return "$LOGGED_UTILITY_STREAM";
case AT_END: return "$END";
}
return "$UNKNOWN";
}
{
switch (lcn) {
case LCN_HOLE:
return "<HOLE>\t";
case LCN_RL_NOT_MAPPED:
return "<RL_NOT_MAPPED>";
case LCN_ENOENT:
return "<ENOENT>\t";
case LCN_EINVAL:
return "<EINVAL>\t";
case LCN_EIO:
return "<EIO>\t";
default:
ntfs_log_error("Invalid LCN value %llx passed to "
"ntfs_dump_lcn().\n", lcn);
return "???\t";
}
}
{
printf("Dumping attribute %s (0x%x) from mft record %lld (0x%llx)\n",
(unsigned)le32_to_cpu(a->type),
ntfs_log_verbose("\tAttribute length:\t %u (0x%x)\n",
(unsigned)le32_to_cpu(a->length),
(unsigned)le32_to_cpu(a->length));
ntfs_log_verbose("\tName length:\t\t %u (0x%x)\n",
(unsigned)a->name_length, (unsigned)a->name_length);
ntfs_log_verbose("\tName offset:\t\t %u (0x%x)\n",
(unsigned)le16_to_cpu(a->name_offset),
(unsigned)le16_to_cpu(a->name_offset));
/* Dump the attribute (stream) name */
if (a->name_length) {
if (attribute_name) {
} else
ntfs_log_perror("Error: couldn't parse attribute name");
}
/* TODO: parse the flags */
printf("\tAttribute flags:\t 0x%04x\n",
(unsigned)le16_to_cpu(a->flags));
printf("\tAttribute instance:\t %u (0x%x)\n",
(unsigned)le16_to_cpu(a->instance),
(unsigned)le16_to_cpu(a->instance));
/* Resident attribute */
if (!a->non_resident) {
printf("\tData size:\t\t %u (0x%x)\n",
ntfs_log_verbose("\tData offset:\t\t %u (0x%x)\n",
/* TODO: parse the flags */
printf("\tResident flags:\t\t 0x%02x\n",
(unsigned)a->u.res.resident_flags);
ntfs_log_verbose("\tReservedR:\t\t %d (0x%x)\n",
return;
}
/* Non-resident attribute */
ntfs_log_verbose("\tLowest VCN\t\t %lld (0x%llx)\n",
ntfs_log_verbose("\tHighest VCN:\t\t %lld (0x%llx)\n",
ntfs_log_verbose("\tMapping pairs offset:\t %u (0x%x)\n",
printf("\tCompression unit:\t %u (0x%x)\n",
(unsigned)a->u.nonres.compression_unit,
(unsigned)a->u.nonres.compression_unit);
/* TODO: dump the 5 reserved bytes here in verbose mode */
if (!a->u.nonres.lowest_vcn) {
printf("\tData size:\t\t %llu (0x%llx)\n",
printf("\tAllocated size:\t\t %llu (0x%llx)\n",
(unsigned long long)
printf("\tInitialized size:\t %llu (0x%llx)\n",
(unsigned long long)
a->flags & ATTR_IS_SPARSE)
printf("\tCompressed size:\t %llu (0x%llx)\n",
(signed long long)
(signed long long)
}
if (rl) {
// TODO: Switch this to properly aligned hex...
printf("\tRunlist:\tVCN\t\tLCN\t\tLength\n");
printf("\t\t\t0x%llx\t\t0x%llx\t\t"
else
printf("\t\t\t0x%llx\t\t%s\t"
rlc++;
}
} else
ntfs_log_error("Error: couldn't decompress runlist\n");
}
}
/**
* ntfs_dump_data_attr()
*
* dump some info about the data attribute if it's metadata
*/
{
}
typedef enum {
{
char *sid;
switch (type) {
case INDEX_ATTR_SECURE_SII:
ntfs_log_verbose("\t\tKey security id:\t %u (0x%x)\n",
(unsigned)
(unsigned)
break;
case INDEX_ATTR_SECURE_SDH:
ntfs_log_verbose("\t\tKey hash:\t\t 0x%08x\n",
ntfs_log_verbose("\t\tKey security id:\t %u (0x%x)\n",
(unsigned)
(unsigned)
break;
case INDEX_ATTR_OBJID_O:
break;
case INDEX_ATTR_REPARSE_R:
ntfs_log_verbose("\t\tKey reparse tag:\t 0x%08x\n", (unsigned)
ntfs_log_verbose("\t\tKey file id:\t\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
break;
case INDEX_ATTR_QUOTA_O:
break;
case INDEX_ATTR_QUOTA_Q:
ntfs_log_verbose("\t\tKey owner id:\t\t %u (0x%x)\n",
break;
default:
ntfs_log_verbose("\t\tIndex attr type is UNKNOWN: \t 0x%08x\n",
(unsigned)type);
break;
}
}
#ifdef __sun
#pragma pack(1)
#endif
typedef union {
#ifdef __sun
#pragma pack()
#endif
{
switch (type) {
case INDEX_ATTR_SECURE_SII:
ntfs_log_verbose("\t\tHash:\t\t\t 0x%08x\n",
ntfs_log_verbose("\t\tSecurity id:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tOffset in $SDS:\t\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
ntfs_log_verbose("\t\tLength in $SDS:\t\t %u (0x%x)\n",
break;
case INDEX_ATTR_SECURE_SDH:
ntfs_log_verbose("\t\tHash:\t\t\t 0x%08x\n",
ntfs_log_verbose("\t\tSecurity id:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tOffset in $SDS:\t\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
ntfs_log_verbose("\t\tLength in $SDS:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tUnknown (padding):\t 0x%08x\n",
break;
case INDEX_ATTR_OBJID_O: {
ntfs_log_verbose("\t\tMFT Number:\t\t 0x%llx\n",
(unsigned long long)
ntfs_log_verbose("\t\tMFT Sequence Number:\t 0x%x\n",
(unsigned)
ntfs_log_verbose("\t\tBirth volume id GUID:\t %s\n",
ntfs_log_verbose("\t\tBirth object id GUID:\t %s\n",
ntfs_log_verbose("\t\tDomain id GUID:\t\t %s\n",
}
break;
case INDEX_ATTR_REPARSE_R:
/* TODO */
break;
case INDEX_ATTR_QUOTA_O:
ntfs_log_verbose("\t\tOwner id:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tUnknown:\t\t %u (0x%x)\n",
break;
case INDEX_ATTR_QUOTA_Q:
ntfs_log_verbose("\t\tVersion:\t\t %u\n",
ntfs_log_verbose("\t\tQuota flags:\t\t 0x%08x\n",
ntfs_log_verbose("\t\tBytes used:\t\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
ntfs_log_verbose("\t\tLast changed:\t\t %s",
ntfs_log_verbose("\t\tThreshold:\t\t %lld (0x%llx)\n",
(unsigned long long)
(unsigned long long)
ntfs_log_verbose("\t\tLimit:\t\t\t %lld (0x%llx)\n",
(unsigned long long)
(unsigned long long)
ntfs_log_verbose("\t\tExceeded time:\t\t %lld (0x%llx)\n",
(unsigned long long)
(unsigned long long)
char *sid;
}
break;
default:
ntfs_log_verbose("\t\tIndex attr type is UNKNOWN: \t 0x%08x\n",
(unsigned)type);
break;
}
}
/**
* ntfs_dump_index_entries()
*
* dump sequence of index_entries and return number of entries dumped.
*/
{
while (1) {
break;
numb_entries++;
continue;
}
ntfs_log_verbose("\t\tEntry length:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tKey length:\t\t %u (0x%x)\n",
ntfs_log_verbose("\t\tIndex entry flags:\t 0x%02x\n",
ntfs_log_verbose("\t\tSubnode VCN:\t\t %lld (0x%llx)\n",
break;
switch (type) {
case INDEX_ATTR_DIRECTORY_I30:
ntfs_log_verbose("\t\tFILE record number:\t %llu "
"(0x%llx)\n", (unsigned long long)
(unsigned long long)
break;
default:
ntfs_log_verbose("\t\tData offset:\t\t %u (0x%x)\n",
(unsigned)
(unsigned)
ntfs_log_verbose("\t\tData length:\t\t %u (0x%x)\n",
(unsigned)
(unsigned)
ntfs_log_verbose("\t\tKey Data:\n");
break;
}
ntfs_log_verbose("\tWARNING: Corrupt index entry, "
"skipping the remainder of this index "
"block.\n");
break;
}
numb_entries++;
ntfs_log_verbose("\n");
}
ntfs_log_verbose("\tEnd of index block reached\n");
return numb_entries;
}
{
if (!attr->name_length)
return INDEX_ATTR_UNKNOWN;
if (index_root->type) {
return INDEX_ATTR_DIRECTORY_I30;
else
/* weird, this should be illegal */
ntfs_log_error("Unknown index attribute type: 0x%0X\n",
index_root->type);
return INDEX_ATTR_UNKNOWN;
}
if (utils_is_metadata(ni) <= 0)
return INDEX_ATTR_UNKNOWN;
return INDEX_ATTR_UNKNOWN;
return INDEX_ATTR_SECURE_SDH;
return INDEX_ATTR_SECURE_SII;
return INDEX_ATTR_SECURE_SII;
return INDEX_ATTR_QUOTA_Q;
return INDEX_ATTR_REPARSE_R;
return INDEX_ATTR_QUOTA_O;
return INDEX_ATTR_OBJID_O;
}
return INDEX_ATTR_UNKNOWN;
}
{
if (type == INDEX_ATTR_DIRECTORY_I30)
printf("DIRECTORY_I30");
else if (type == INDEX_ATTR_SECURE_SDH)
printf("SECURE_SDH");
else if (type == INDEX_ATTR_SECURE_SII)
printf("SECURE_SII");
else if (type == INDEX_ATTR_OBJID_O)
printf("OBJID_O");
else if (type == INDEX_ATTR_QUOTA_O)
printf("QUOTA_O");
else if (type == INDEX_ATTR_QUOTA_Q)
printf("QUOTA_Q");
else if (type == INDEX_ATTR_REPARSE_R)
printf("REPARSE_R");
else
printf("UNKNOWN");
printf("\n");
}
{
/* FIXME: there are 3 reserved bytes here */
}
/**
* ntfs_dump_attr_index_root()
*
* dump the index_root attribute
*/
{
/* attr_type dumping */
printf("\tIndexed Attr Type:\t ");
/* collation rule dumping */
printf("\tCollation Rule:\t\t %u (0x%x)\n",
/* COLLATION_BINARY, COLLATION_FILE_NAME, COLLATION_UNICODE_STRING,
COLLATION_NTOFS_ULONG, COLLATION_NTOFS_SID,
COLLATION_NTOFS_SECURITY_HASH, COLLATION_NTOFS_ULONGS */
printf("\tIndex Block Size:\t %u (0x%x)\n",
printf("\tClusters Per Block:\t %u (0x%x)\n",
(unsigned)index_root->clusters_per_index_block,
(unsigned)index_root->clusters_per_index_block);
ntfs_log_verbose("\tDumping index root:\n");
printf("\tIndex entries total:\t %d\n",
}
{
}
{
ntfs_log_perror("Damaged INDX record");
return -1;
}
ntfs_log_verbose("\tDumping index block:\n");
ntfs_log_verbose("\t\tNode VCN:\t\t %lld (0x%llx)\n",
printf("\n");
}
}
/**
* ntfs_dump_attr_index_allocation()
*
* dump context of the index_allocation attribute
*/
{
int total_entries = 0;
int total_indx_blocks = 0;
int bit;
if (!ir) {
ntfs_log_perror("Failed to read $INDEX_ROOT attribute");
return;
}
if (!byte) {
ntfs_log_perror("Failed to read $BITMAP attribute");
goto out_index_root;
}
if (!tmp_alloc) {
ntfs_log_perror("Failed to read $INDEX_ALLOCATION attribute");
goto out_bitmap;
}
bit = 0;
int entries;
ir->index_block_size));
if (entries != -1) {
total_entries += entries;
ntfs_log_verbose("\tIndex entries:\t\t %d\n",
entries);
}
}
ir->index_block_size));
bit++;
if (bit > 7) {
bit = 0;
byte++;
}
}
}
/**
* ntfs_dump_attr_bitmap()
*
* dump the bitmap attribute
*/
{
/* TODO */
}
/**
* ntfs_dump_attr_reparse_point()
*
* of ntfs 3.x dumps the reparse_point attribute
*/
{
/* TODO */
}
/**
* ntfs_dump_attr_ea_information()
*
* dump the ea_information attribute
*/
{
printf("\tPacked EA length:\t %u (0x%x)\n",
printf("\tNEED_EA count:\t\t %u (0x%x)\n",
printf("\tUnpacked EA length:\t %u (0x%x)\n",
}
/**
* ntfs_dump_attr_ea()
*
* dump the ea attribute
*/
{
if (attr->non_resident) {
return;
/* FIXME: We don't handle fragmented mapping pairs case. */
if (rl) {
if (!buf) {
return;
}
if (bytes_read != data_size) {
ntfs_log_perror("ntfs_rl_pread failed");
return;
}
} else {
ntfs_log_perror("ntfs_mapping_pairs_decompress failed");
return;
}
} else {
return;
}
while (1) {
printf("\n\tEA flags:\t\t ");
printf("NEED_EA\n");
else
printf("Unknown (0x%02x)\n",
} else
printf("NONE\n");
printf("\tName length:\t %d (0x%x)\n",
(unsigned)ea->name_length,
(unsigned)ea->name_length);
printf("\tValue length:\t %d (0x%x)\n",
printf("\tValue:\t\t ");
!strncmp((const char*)"SETFILEBITS",
else
if (ea->next_entry_offset)
else
break;
break;
}
}
/**
* ntfs_dump_attr_property_set()
*
* dump the property_set attribute
*/
{
/* TODO */
}
/**
* ntfs_dump_attr_logged_utility_stream()
*
* dump the property_set attribute
*/
ntfs_inode *ni)
{
char *buf;
return;
if (buf)
/* TODO */
}
/**
* ntfs_hex_dump
*/
{
unsigned int i=0;
while (i<length) {
unsigned int j;
/* line start */
printf("\t%04X ",i);
/* hex content */
for (j=i;(j<length) && (j<i+16);j++) {
unsigned char c = *((char *)buf + j);
printf("%02hhX ",c);
}
/* realign */
for (;j<i+16;j++) {
printf(" ");
}
/* char content */
for (j=i;(j<length) && (j<i+16);j++) {
unsigned char c = *((char *)buf + j);
/* display unprintable chars as '.' */
if ((c<32) || (c>126)) {
c = '.';
}
printf("%c",c);
}
/* end line */
printf("\n");
i=j;
}
}
/**
* ntfs_dump_attr_unknown
*/
{
printf("===== Please report this unknown attribute type to %s =====\n",
if (!attr->non_resident) {
/* hex dump */
printf("\tDumping some of the attribute data:\n");
}
}
/**
* ntfs_dump_inode_general_info
*/
{
printf("Dumping Inode %llu (0x%llx)\n",
printf("MFT Record Seq. Numb.:\t %u (0x%x)\n",
printf("Number of Hard Links:\t %u (0x%x)\n",
printf("Attribute Offset:\t %u (0x%x)\n",
printf("MFT Record Flags:\t ");
if (inode_flags) {
if (MFT_RECORD_IN_USE & inode_flags) {
printf("IN_USE ");
}
if (MFT_RECORD_IS_DIRECTORY & inode_flags) {
printf("DIRECTORY ");
}
/* The meaning of IS_4 is illusive but not its existence. */
if (MFT_RECORD_IS_4 & inode_flags) {
printf("IS_4 ");
}
if (MFT_RECORD_IS_VIEW_INDEX & inode_flags) {
printf("VIEW_INDEX ");
}
if (inode_flags)
inode_flags));
} else {
printf("none");
}
printf("\n");
printf("Bytes Used:\t\t %u (0x%x) bytes\n",
printf("Bytes Allocated:\t %u (0x%x) bytes\n",
if (mrec->base_mft_record) {
printf("Base MFT Record:\t %llu (0x%llx)\n",
(unsigned long long)
(unsigned long long)
}
printf("Next Attribute Instance: %u (0x%x)\n",
printf("MFT Padding:\t");
printf("\n");
}
/**
* ntfs_get_file_attributes
*/
{
/* then start enumerating attributes
see ntfs_attr_lookup documentation for detailed explanation */
printf("Weird: %s attribute type was found, please "
"report this.\n",
continue;
}
case AT_STANDARD_INFORMATION:
break;
case AT_ATTRIBUTE_LIST:
break;
case AT_FILE_NAME:
break;
case AT_OBJECT_ID:
break;
case AT_SECURITY_DESCRIPTOR:
break;
case AT_VOLUME_NAME:
break;
case AT_VOLUME_INFORMATION:
break;
case AT_DATA:
break;
case AT_INDEX_ROOT:
break;
case AT_INDEX_ALLOCATION:
break;
case AT_BITMAP:
break;
case AT_REPARSE_POINT:
break;
case AT_EA_INFORMATION:
break;
case AT_EA:
break;
case AT_PROPERTY_SET:
break;
case AT_LOGGED_UTILITY_STREAM:
break;
default:
}
}
/* if we exited the loop before we're done - notify the user */
ntfs_log_perror("ntfsinfo error: stopped before finished "
"enumerating attributes");
} else {
printf("End of inode reached\n");
}
/* close all data-structures we used */
}
/**
* main() - Begin here
*
* Start from here.
*
* Return: 0 Success, the program worked
* 1 Error, something went wrong
*/
{
printf("Failed to parse command line options\n");
exit(1);
}
if (!vol) {
exit(1);
}
/*
* if opts.mft is not 0, then we will print out information about
* the volume, such as the sector size and whatnot.
*/
/* obtain the inode */
} else {
}
/* dump the inode information */
if (inode) {
/* general info about the inode's mft record */
/* dump attributes */
} else {
/* can't open inode */
/*
* note: when the specified inode does not exist, either
* EIO or or ESPIPE is returned, we should notify better
* in those cases
*/
ntfs_log_perror("Error loading node");
}
}
return 0;
}