Merge pull request #114 from Itay2805/trunk

NTFS Improvements
This commit is contained in:
mint 2021-09-29 17:14:43 +02:00 committed by GitHub
commit 321eae8fbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 149 additions and 114 deletions

View File

@ -45,6 +45,8 @@ struct ntfs_file_handle {
// the runlist, resident index and attribute list of the
// current open file/directory
uint8_t run_list[128];
uint8_t resident_index_size;
uint8_t resident_index[256];
// info about the current file
uint32_t size_bytes;

View File

@ -75,6 +75,18 @@ struct file_record_attr_name {
uint16_t name[];
} __attribute__((packed));
struct file_record_attr_index_root {
uint32_t type;
uint32_t collation;
uint32_t size;
uint8_t clusters_per_index_rec;
uint8_t _padding[3];
uint32_t offset;
uint32_t total_size;
uint32_t alloc_size;
uint8_t flags;
} __attribute__((packed));
struct index_record {
char name[4];
uint16_t update_seq_offset;
@ -193,41 +205,36 @@ static bool ntfs_get_next_run_list_element(uint8_t **runlist, uint64_t *out_clus
return false;
}
uint8_t low = runlist_ptr[0] & 0xF;
uint8_t high = (runlist_ptr[0] >> 4) & 0xF;
uint8_t count_size = runlist_ptr[0] & 0xF;
uint8_t cluster_size = (runlist_ptr[0] >> 4) & 0xF;
runlist_ptr++;
// get the run length
uint64_t count = 0;
for (int i = low; i > 0; i--) {
for (int i = count_size; i > 0; i--) {
count <<= 8;
count |= runlist_ptr[i - 1];
}
runlist_ptr += low;
// get the high byte first
int8_t high_byte = (int8_t)runlist_ptr[high - 1];
runlist_ptr += count_size;
// get the run offset
uint64_t cluster = 0;
for (int i = high; i > 0; i--) {
int64_t cluster = 0;
for (int i = cluster_size; i > 0; i--) {
cluster <<= 8;
cluster |= runlist_ptr[i - 1];
}
runlist_ptr += high;
runlist_ptr += cluster_size;
// if the offset is negative, fill the empty bytes with 0xff
if (high_byte < 0 && high < 8) {
uint64_t fill = 0;
for (int i = 8; i > high; i--) {
fill >>= 8;
fill |= 0xFF00000000000000;
// sign exten the run offset
if (cluster >> (cluster_size * 8 - 1)) {
for (int i = 7; i >= cluster_size; i--) {
cluster |= (uint64_t)0xFF << (i * 8);
}
cluster |= fill;
}
// out it
*out_cluster = cluster;
// out it, the cluster is relative to the last cluster
// so add it
*out_cluster += cluster;
*out_cluster_count = count;
// update it
@ -300,53 +307,71 @@ static bool ntfs_read_directory(struct ntfs_file_handle *handle, uint64_t mft_re
return false;
//
// get the runlist of the directory
// First we get the data from the index root (aka resident entries)
//
// get the index alloc attribute, it should have the runlist offset
// copy the runlist from it to our handle for easier access
uint8_t *index_alloc_ptr;
if (!ntfs_get_file_record_attr(file_record, FR_ATTRIBUTE_INDEX_ALLOC, &index_alloc_ptr))
panic("NTFS: Directory has no runlist?!");
struct file_record_attr_header_non_res *index_alloc = (struct file_record_attr_header_non_res *)index_alloc_ptr;
uint8_t *runlist_ptr = index_alloc_ptr + index_alloc->run_offset;
if (runlist_ptr - file_record + 128u > handle->file_record_size)
panic("NTFS: runlist is outside of file record!");
memcpy(handle->run_list, runlist_ptr, sizeof(handle->run_list));
// calculate the directory size by just going through the runlist
uint8_t *runlist = handle->run_list;
uint64_t dir_size = 0;
uint64_t cluster = 0;
uint64_t cluster_count = 0;
bool status = false;
do {
status = ntfs_get_next_run_list_element(&runlist, &cluster_count, &cluster, true);
if (status)
dir_size += cluster_count;
} while(status);
dir_size *= handle->bpb.sectors_per_cluster * handle->bpb.bytes_per_sector;
// allocate a buffer for the directory data
if (dir_buffer == NULL) {
// allocate enough just in case, idk how much is good
dir_buffer_cap = dir_size > 64 * 1024 ? dir_size : 64 * 1024;
dir_buffer = ext_mem_alloc(dir_buffer_cap);
uint8_t* index_root_ptr;
if (ntfs_get_file_record_attr(file_record, FR_ATTRIBUTE_INDEX_ROOT, &index_root_ptr)) {
// we have a resident index root
struct file_record_attr_header_res *index_root_header = (struct file_record_attr_header_res *)index_root_ptr;
struct file_record_attr_index_root *index_root = (struct file_record_attr_index_root *)(index_root_ptr + index_root_header->info_offset);
uint8_t *index_root_data = (uint8_t *)index_root + index_root->offset + offsetof(struct file_record_attr_index_root, offset);
if (index_root->total_size > sizeof(handle->resident_index))
panic("NTFS: Resident index is too big!");
handle->resident_index_size = index_root->total_size;
memcpy(handle->resident_index, index_root_data, index_root->total_size);
} else {
// we must truncate it...
if (dir_size > dir_buffer_cap) {
dir_size = dir_buffer_cap;
}
// no resident data, clear
handle->resident_index_size = 0;
}
// set the size of the dir size
dir_buffer_size = dir_size;
//
// Now get the non-resident index records, for that we need to get the INDEX_ALLOC
// attribute and read the runlist from that
//
uint8_t *index_alloc_ptr;
if (ntfs_get_file_record_attr(file_record, FR_ATTRIBUTE_INDEX_ALLOC, &index_alloc_ptr)) {
struct file_record_attr_header_non_res *index_alloc = (struct file_record_attr_header_non_res *)index_alloc_ptr;
uint8_t *runlist_ptr = index_alloc_ptr + index_alloc->run_offset;
if (runlist_ptr - file_record + 128u > handle->file_record_size)
panic("NTFS: runlist is outside of file record!");
memcpy(handle->run_list, runlist_ptr, sizeof(handle->run_list));
// read the directory
if (ntfs_read(handle, dir_buffer, 0, dir_size))
panic("NTFS: EOF before reading directory fully...");
// calculate the directory size by just going through the runlist
uint8_t *runlist = handle->run_list;
uint64_t dir_size = 0;
uint64_t cluster = 0;
uint64_t cluster_count = 0;
bool status = false;
do {
status = ntfs_get_next_run_list_element(&runlist, &cluster_count, &cluster, true);
if (status)
dir_size += cluster_count;
} while(status);
dir_size *= handle->bpb.sectors_per_cluster * handle->bpb.bytes_per_sector;
// allocate a buffer for the directory data
if (dir_buffer == NULL) {
// allocate enough just in case, idk how much is good
dir_buffer_cap = dir_size > 64 * 1024 ? dir_size : 64 * 1024;
dir_buffer = ext_mem_alloc(dir_buffer_cap);
} else {
// we must truncate it...
if (dir_size > dir_buffer_cap) {
dir_size = dir_buffer_cap;
}
}
// set the size of the dir size
dir_buffer_size = dir_size;
// read the directory
if (ntfs_read(handle, dir_buffer, 0, dir_size))
panic("NTFS: EOF before reading directory fully...");
} else {
// if no runlist then empty the runlist
memset(handle->run_list, 0, sizeof(handle->run_list));
}
return true;
}
@ -382,16 +407,61 @@ static void ntfs_read_root(struct ntfs_file_handle *handle) {
panic("NTFS: Missing root directory file record!");
}
/**
* Iterate the files over a single index with entries
*/
static bool ntfs_iterate_index_entries(struct ntfs_file_handle *handle, uint8_t *entry_ptr, size_t index_size, const char *filename, size_t filename_size, struct index_entry **out_entry) {
// loop the record for all of its indexes
while (index_size) {
// get the entry, if size is zero we done
struct index_entry *entry = (struct index_entry *)entry_ptr;
if (entry->entry_size == 0)
break;
if (filename_size == entry->name_length) {
// this name seem legit, need to get the real name from the mft
// sometimes it works to use the index name but sometimes it has
// invalid names for whatever reason that I can not understand, so
// just always take it from the mft file record
uint8_t file_record_buffer[MIN_FILE_RECORD_SIZE];
if (!ntfs_get_file_record(handle, entry->mft_record, file_record_buffer))
panic("NTFS: Failed to get file record");
uint8_t *name_attr = NULL;
if (!ntfs_get_file_record_attr(file_record_buffer, FR_ATTRIBUTE_NAME, &name_attr))
panic("NTFS: File record missing name attribute");
// get the offset to the actual info
struct file_record_attr_header_res *header = (struct file_record_attr_header_res *)name_attr;
struct file_record_attr_name *name = (struct file_record_attr_name *)(name_attr + header->info_offset);
// compare the name
for (int i = 0; i < name->name_length; i++) {
if (name->name[i] != filename[i]) {
goto next_entry;
}
}
// name is good, return the entry and return true
// that we found the entry
*out_entry = entry;
return true;
}
// next entry
next_entry:
entry_ptr += entry->entry_size;
index_size -= entry->entry_size;
}
return false;
}
/**
* Search for a file in the ntfs directory, assumes the directory has been read and is stored in
* the temp buffer
*/
static bool ntfs_find_file_in_directory(struct ntfs_file_handle *handle, const char* filename, struct index_entry** out_entry) {
size_t dir_size = dir_buffer_size;
uint8_t *dir_ptr = dir_buffer;
// TODO: iterate resident record...
// get the size of the name we need to compare
const char* temp_filename = filename;
size_t filename_size = 0;
@ -400,7 +470,13 @@ static bool ntfs_find_file_in_directory(struct ntfs_file_handle *handle, const c
temp_filename++;
}
// iterate the non-resident files in the directory
// first search in the resident records
if (ntfs_iterate_index_entries(handle, handle->resident_index, handle->resident_index_size, filename, filename_size, out_entry))
return true;
// now iterate the non-resident files in the directory
uint8_t *dir_ptr = dir_buffer;
size_t dir_size = dir_buffer_size;
size_t offset = 0;
while (dir_size) {
// check if the dir pointer is still in the buffer, if not then we could
@ -418,53 +494,10 @@ static bool ntfs_find_file_in_directory(struct ntfs_file_handle *handle, const c
size_t index_size = index_record->index_entry_size;
offset += index_record->index_entry_offset + offsetof(struct index_record, index_entry_offset);
uint8_t *entry_ptr = dir_ptr + offset;
// loop the record for all of its indexes
while (index_size) {
// make sure we still have an entry
if (entry_ptr + sizeof(struct index_entry) > dir_buffer + dir_buffer_size)
panic("NTFS: Tried to read index entry outside of directory");
// get the entry, if size is zero we done
struct index_entry *entry = (struct index_entry *)entry_ptr;
if (entry->entry_size == 0)
break;
if (filename_size == entry->name_length) {
// this name seem legit, need to get the real name from the mft
// sometimes it works to use the index name but sometimes it has
// invalid names for whatever reason that I can not understand, so
// just always take it from the mft file record
uint8_t file_record_buffer[MIN_FILE_RECORD_SIZE];
if (!ntfs_get_file_record(handle, entry->mft_record, file_record_buffer))
panic("NTFS: Failed to get file record");
uint8_t *name_attr = NULL;
if (!ntfs_get_file_record_attr(file_record_buffer, FR_ATTRIBUTE_NAME, &name_attr))
panic("NTFS: File record missing name attribute");
// get the offset to the actual info
struct file_record_attr_header_res *header = (struct file_record_attr_header_res *)name_attr;
struct file_record_attr_name *name = (struct file_record_attr_name *)(name_attr + header->info_offset);
// compare the name
for (int i = 0; i < name->name_length; i++) {
if (name->name[i] != filename[i]) {
goto next_entry;
}
}
// name is good, return the entry and return true
// that we found the entry
*out_entry = entry;
return true;
}
// next entry
next_entry:
entry_ptr += entry->entry_size;
index_size -= entry->entry_size;
}
// check if any of the entries is valid
if (ntfs_iterate_index_entries(handle, entry_ptr, index_size, filename, filename_size, out_entry))
return true;
// next record, need to do some rounding
index_size = index_record->index_entry_size;
@ -577,8 +610,8 @@ int ntfs_read(struct ntfs_file_handle *file, void *buf, uint64_t loc, uint64_t c
uint64_t bytes_per_cluster = file->bpb.sectors_per_cluster * file->bpb.bytes_per_sector;
do {
// get the next element from the runlist
uint64_t cluster_count;
uint64_t cluster;
uint64_t cluster = 0;
uint64_t cluster_count = 0;
if (!ntfs_get_next_run_list_element(&runlist, &cluster_count, &cluster, true))
break;