From 787420defebd0cc0efacd43dae895bcc58f33916 Mon Sep 17 00:00:00 2001 From: "flatcap.org!flatcap" Date: Mon, 23 Dec 2002 04:42:18 +0000 Subject: [PATCH] [matt] new code (Logical change 1.50) --- ntfsprogs/ntfsinfo.c | 179 ++++++++++++++++++++++--------------------- 1 file changed, 90 insertions(+), 89 deletions(-) diff --git a/ntfsprogs/ntfsinfo.c b/ntfsprogs/ntfsinfo.c index 3843842d..932f9095 100644 --- a/ntfsprogs/ntfsinfo.c +++ b/ntfsprogs/ntfsinfo.c @@ -29,16 +29,30 @@ #include #include #include +#include #include "types.h" #include "mft.h" #include "attrib.h" #include "layout.h" #include "inode.h" -void get_file_attribute_value(const char *dev, long int i); -void print_standard_information_attr(ntfs_attr_search_ctx * ctx); -void print_file_name_attr(ntfs_attr_search_ctx * ctx); +void ntfs_get_file_attributes(const char *dev, long int i); +void ntfs_dump_file_name_attribute(ntfs_inode *inode, MFT_RECORD *mrec); +void ntfs_dump_standard_information(ntfs_inode *inode, MFT_RECORD *mrec); +/** + * ntfs2utc - Convert an NTFS time to Unix time + * @time: An NTFS time in 100ns units since 1601 + * + * NTFS stores times as the number of 100ns intervals since January 1st 1601 at + * 00:00 UTC. This system will not suffer from Y2K problems until ~57000AD. + * + * Return: n A Unix time (number of seconds since 1970) + */ +time_t ntfs2utc (long long time) +{ + return (time - ((long long) (369 * 365 + 89) * 24 * 3600 * 10000000)) / 10000000; +} #define NTFS_TIME_OFFSET ((u64)(369*365 + 89) * 24 * 3600 * 10000000) @@ -55,8 +69,7 @@ int main(int argc, char **argv) locale = setlocale(LC_ALL, NULL); printf("Failed to set locale, using default (%s).\n", locale); - } else - printf("Using locale %s.\n", locale); + } if (argc < 3 || argc > 4) { fprintf(stderr, "%s v%s - %s\n", EXEC_NAME, VERSION, AUTHOR); @@ -66,128 +79,116 @@ int main(int argc, char **argv) else { i = atoll(argv[2]); - get_file_attribute_value(argv[1], i); + ntfs_get_file_attributes(argv[1], i); } return 0; } -void get_file_attribute_value(const char *dev, long int i) +void ntfs_get_file_attributes(const char *dev, long int i) { MFT_REF mref; MFT_RECORD *mrec = NULL; - //ATTR_RECORD *attr = NULL; - //FILE_NAME_ATTR *file_name_attr = NULL; - //STANDARD_INFORMATION *standard_information = NULL; - //SECURITY_DESCRIPTOR_RELATIVE *security_descriptor = NULL; - ntfs_attr_search_ctx *ctx = NULL; + //ntfs_attr_search_ctx *ctx = NULL; ntfs_volume *vol = NULL; - //char *file_name; ntfs_inode *inode = NULL; + //int error; - vol = ntfs_mount(dev, 0); + if(!(vol = ntfs_mount(dev, 0))) { + fprintf(stderr, "ntfsinfo error: cannot mount device %s\n",dev); + exit(1); + } mref = (MFT_REF) i; inode = ntfs_inode_open(vol, mref); if (ntfs_file_record_read(vol, mref, &mrec, NULL)) { - perror("Error reading file record!\n"); + fprintf(stderr, "ntfsinfo error: error reading file record!\n"); exit(1); } + //see flatcap.org/ntfs/info for what formatting should look like + //ntfs_dump_boot_sector_information(inode, mrec); + ntfs_dump_file_name_attribute(inode, mrec); + ntfs_dump_standard_information(inode, mrec); +} + +void ntfs_dump_file_name_attribute(ntfs_inode *inode, MFT_RECORD *mrec) +{ + FILE_NAME_ATTR *file_name_attr = NULL; + ATTR_RECORD *attr = NULL; + ntfs_attr_search_ctx *ctx = NULL; + char *file_name; + time_t ntfs_time; + ctx = ntfs_attr_get_search_ctx(inode, mrec); -// print_file_name_attr(ctx); - -// ctx = ntfs_get_attr_search_ctx(inode, mrec); //need to fix this - - print_standard_information_attr(ctx); -} - - -s64 ntfs2time(s64 time) -{ - s64 t; - printf("Original Time: %Li\n",time); - t = time - NTFS_TIME_OFFSET; - t = t / 10000000; - return t; - - -} - -void print_standard_information_attr(ntfs_attr_search_ctx *ctx) -{ - ATTR_RECORD *attr = NULL; - STANDARD_INFORMATION *standard_information_attr = NULL; - - if (ntfs_attr_lookup - (AT_STANDARD_INFORMATION, AT_UNNAMED, 0, 0, 0, NULL, 0, ctx)) { - perror("Error looking up $STANDARD_INFORMATION!\n"); - exit(1); + if(ntfs_attr_lookup(AT_FILE_NAME, AT_UNNAMED, 0, 0, 0, NULL, 0, ctx)) { + fprintf(stderr, "ntfsinfo error: cannot lookup attribute AT_FILE_NAME!\n"); + return; } attr = ctx->attr; - standard_information_attr = - (STANDARD_INFORMATION *) ((char *) attr + - le16_to_cpu(attr->value_offset)); + file_name_attr = (FILE_NAME_ATTR*)((char *)attr + le16_to_cpu(attr->value_offset)); - printf("Creation time: %Li\n", - ntfs2time(standard_information_attr->creation_time)); -/* printf("Last Data Change Time: %Li\n", - ntfs2time(standard_information_attr->last_data_change_time)); - printf("Last MFT Change Time: %Li\n", - ntfs2time(standard_information_attr->last_mft_change_time)); - printf("Last Access Time: %Li\n", - ntfs2time(standard_information_attr->last_access_time)); - printf("Maxium Versions: %d\n", - standard_information_attr->maximum_versions); - printf("Version Number: %d\n", - standard_information_attr->version_number); - printf("Class ID: %d\n", - standard_information_attr->class_id); - printf("Owner ID: %d\n", - standard_information_attr->owner_id); - printf("Security ID: %d\n", - standard_information_attr->security_id); + file_name = malloc(file_name_attr->file_name_length * sizeof(char)); + + //need to convert the little endian unicode string to a multibyte string + ntfs_ucstombs(file_name_attr->file_name, file_name_attr->file_name_length, + &file_name, file_name_attr->file_name_length); + + printf("Dumping $FILE_NAME (0x30)\n"); + + //basic stuff about the file + printf("File Name: \t\t %s\n",file_name); + printf("File Name Length: \t %d\n",file_name_attr->file_name_length); + printf("Allocated File Size: \t %lld\n", sle64_to_cpu(file_name_attr->allocated_size)); + printf("Real File Size: \t %lld\n", sle64_to_cpu(file_name_attr->data_size)); + + //time conversion stuff + ntfs_time = ntfs2utc(file_name_attr->creation_time); + printf("File Creation Time: \t %s",ctime(&ntfs_time)); + + ntfs_time = ntfs2utc(file_name_attr->last_data_change_time); + printf("File Altered Time: \t %s",ctime(&ntfs_time)); + + ntfs_time = ntfs2utc(file_name_attr->last_mft_change_time); + printf("MFT Changed Time: \t %s",ctime(&ntfs_time)); + + ntfs_time = ntfs2utc(file_name_attr->last_access_time); + printf("Last Acced Time: \t %s",ctime(&ntfs_time)); + + free(file_name); -*/ } -void print_file_name_attr(ntfs_attr_search_ctx *ctx) +void ntfs_dump_standard_information(ntfs_inode *inode, MFT_RECORD *mrec) { - ATTR_RECORD *attr = NULL; - ntfs_attr_search_ctx *c = ctx; - FILE_NAME_ATTR *file_name_attr = NULL; - char *file_name; - if (ntfs_attr_lookup(AT_FILE_NAME, AT_UNNAMED, 0, 0, 0, NULL, 0, ctx)) { - perror("Error looking up $FILE_NAME_ATTR!\n"); - exit(1); + STANDARD_INFORMATION *standard_attr = NULL; + ATTR_RECORD *attr = NULL; + ntfs_attr_search_ctx *ctx = NULL; + + ctx = ntfs_attr_get_search_ctx(inode, mrec); + + if(ntfs_attr_lookup(AT_STANDARD_INFORMATION, AT_UNNAMED, 0, 0, 0, NULL, 0, ctx)) { + fprintf(stderr, "ntfsinfo error: cannot look up attribute AT_STANDARD_INFORMATION!\n"); + return; } attr = ctx->attr; - ctx = c; - file_name_attr = - (FILE_NAME_ATTR *) ((char *) attr + - le16_to_cpu(attr->value_offset)); + standard_attr = (STANDARD_INFORMATION*)((char *)attr + le16_to_cpu(attr->value_offset)); - file_name = malloc(file_name_attr->file_name_length * sizeof (char)); + printf("Dumping $STANDARD_INFORMATION (0x10)\n"); - ntfs_ucstombs(file_name_attr->file_name, - file_name_attr->file_name_length, &file_name, - file_name_attr->file_name_length); + printf("Maximum Number of Versions: \t %d \n",standard_attr->maximum_versions); + printf("Version Number: \t\t %d \n",standard_attr->version_number); + printf("Class ID: \t\t\t %d \n",standard_attr->class_id); + printf("User ID: \t\t\t %d \n", standard_attr->owner_id); + printf("Security ID: \t\t\t %d \n", standard_attr->security_id); - printf("File Name: %s\n", file_name); - printf("File Name Length: %d\n", file_name_attr->file_name_length); - printf("Allocated Size: %Li\n",sle64_to_cpu(file_name_attr->allocated_size)); - printf("Data Size: %Li\n",sle64_to_cpu(file_name_attr->data_size)); } -/*void print_security_descriptor_attr(SECURITY_DESCRIPTOR_RELATIVE *security_descriptor) -{ - -}*/