Shiz
/
exorcise
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
exorcise/exorcise/partition/ntfs/__init__.py

89 lines
2.1 KiB
Python
Raw Blame History

import enum
from destruct import Struct
from ...common import GhostHeaderType, GhostTime, GhostCompressionType
from .properties import NTFSPropertySet
from .mft import MFTRecord
class IDPacket(Struct):
magic = Sig(b'\x0E')
unk1 = Sig(bytes([1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]))
footer = Sig(b'\x0F')
class BufferPacket(Struct, generics=['D']):
magic = Sig(b'\x0F')
length = UInt(32)
unk5 = Sig(bytes([0, 0, 0, 0]))
footer = Sig(b'\x0E')
data = Capped(D, exact=True)
def on_length(self, spec, ctx):
spec.data.limit = self.length
class BufferChecksumPacket(Struct):
magic = Sig(b'\x0A')
checksum = UInt(32)
unk5 = Sig(bytes([0, 0, 0, 0]))
footer = Sig(b'\x0B')
class MFTPacket(Struct):
magic = Sig(b'\x0E')
type = UInt(16)
unk3 = Data(4)
id = UInt(32)
unk4 = Data(4)
footer = Sig(b'\x0F')
class NTFSIndex(Struct):
header = MFTPacket
b = Data(10)
data = MFTRecord # NTFSPropertyTag.SMftRecordSize
class NTFSHeader(Struct):
magic = Sig(b'\xFE\xEF')
type = Enum(GhostHeaderType, UInt(8)) # 1-5
compression = Enum(GhostCompressionType, UInt(8)) # 0-10
time = GhostTime()
bool8 = Bool()
bool9 = Bool()
bool10 = Bool()
bool11 = Bool()
unk12 = Data(15)
unk27 = Data(10)
bool37 = Bool()
unk38 = Data(4)
bool42 = Bool()
bool43 = Bool()
bool44 = Bool()
bool45 = Bool()
bool46 = Bool()
bool47 = Bool()
bool48 = Bool()
bool49 = Bool()
bool50 = Bool()
bool51 = Bool()
unk52 = UInt(8) # 3 or 10
bool53 = Bool()
int54 = UInt(8)
bool55 = Bool()
bool56 = Bool()
unk57 = Data(4)
unk61 = UInt(8) # 0 or 1 or 2
bool62 = Bool()
bool63 = Bool()
bool64 = Bool()
bool65 = Bool()
int66 = UInt(32)
unk70 = Data(5)
pad75 = Pad(437)
class NTFSPartition(Struct):
header = NTFSHeader()
id = IDPacket()
pbuf = BufferPacket[NTFSPropertySet]()
pbuf_checksum = BufferChecksumPacket() # contingent on SFlags & 0x10 and header->field8
Reference in New Issue View Git Blame Copy Permalink