当前位置: 首页 > article >正文

Ntfs!ATTRIBUTE_RECORD_HEADER结构$INDEX_ROOT=0x90的一个例子

article 2025/9/12 18:06:35

Ntfs!ATTRIBUTE_RECORD_HEADER结构$INDEX_ROOT=0x90的一个例子

1: kd>  dx -id 0,0,899a2278 -r1 ((Ntfs!_FILE_RECORD_SEGMENT_HEADER *)0xc431a400)
((Ntfs!_FILE_RECORD_SEGMENT_HEADER *)0xc431a400)                 : 0xc431a400 [Type: _FILE_RECORD_SEGMENT_HEADER *]
    [+0x000] MultiSectorHeader [Type: _MULTI_SECTOR_HEADER]
    [+0x008] Lsn              : {135166234} [Type: _LARGE_INTEGER]
    [+0x010] SequenceNumber   : 0x1 [Type: unsigned short]
    [+0x012] ReferenceCount   : 0x1 [Type: unsigned short]
    [+0x014] FirstAttributeOffset : 0x38 [Type: unsigned short]
    [+0x016] Flags            : 0x3 [Type: unsigned short]
    [+0x018] FirstFreeByte    : 0x2b0 [Type: unsigned long]
    [+0x01c] BytesAvailable   : 0x400 [Type: unsigned long]
    [+0x020] BaseFileRecordSegment [Type: _MFT_SEGMENT_REFERENCE]
    [+0x028] NextAttributeInstance : 0x3 [Type: unsigned short]
    [+0x02a] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x02c] SegmentNumberLowPart : 0x2769 [Type: unsigned long]
    [+0x030] UpdateArrayForCreateOnly [Type: unsigned short [1]]
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38
Ntfs!ATTRIBUTE_RECORD_HEADER
   +0x000 TypeCode         : 0x10
   +0x004 RecordLength     : 0x60
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0
   +0x00c Flags            : 0
   +0x00e Instance         : 0
   +0x010 Form             : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60
Ntfs!ATTRIBUTE_RECORD_HEADER
   +0x000 TypeCode         : 0x30
   +0x004 RecordLength     : 0x68
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0
   +0x00c Flags            : 0
   +0x00e Instance         : 2
   +0x010 Form             : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68
Ntfs!ATTRIBUTE_RECORD_HEADER
   +0x000 TypeCode         : 0x90
   +0x004 RecordLength     : 0x1a8
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0x4 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 1
   +0x010 Form             : __unnamed
1: kd> dd 0xc431a400+38+60+68
c431a500  00000090 000001a8 00180400 00010000
c431a510  00000188 00000020 00490024 00300033
c431a520  00000030 00000001 00001000 00000001
c431a530  00000010 00000178 00000178 00000000
c431a540  0000276a 00010000 005a0070 00000000
c431a550  00002769 00010000 8fa0d18e 01db06c8
c431a560  c148aca4 01dba6c6 a8e2bafe 01db06c8
c431a570  c148aca4 01dba6c6 00040000 00000000
1: kd> db 0xc431a400+38+60+68
c431a500  90 00 00 00 a8 01 00 00-00 04 18 00 00 00 01 00  ................
c431a510  88 01 00 00 20 00 00 00-24 00 49 00 33 00 30 00  .... ...$.I.3.0.
c431a520  30 00 00 00 01 00 00 00-00 10 00 00 01 00 00 00  0...............
c431a530  10 00 00 00 78 01 00 00-78 01 00 00 00 00 00 00  ....x...x.......
c431a540  6a 27 00 00 00 00 01 00-70 00 5a 00 00 00 00 00  j'......p.Z.....
c431a550  69 27 00 00 00 00 01 00-8e d1 a0 8f c8 06 db 01  i'..............
c431a560  a4 ac 48 c1 c6 a6 db 01-fe ba e2 a8 c8 06 db 01  ..H.............
c431a570  a4 ac 48 c1 c6 a6 db 01-00 00 04 00 00 00 00 00  ..H.............
1: kd> db 0xc431a400+38+60+68+80
c431a580  00 00 04 00 00 00 00 00-22 00 00 00 00 00 00 00  ........".......
c431a590  0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a5a0  73 00 2e 00 64 00 61 00-74 00 00 00 00 00 00 00  s...d.a.t.......
c431a5b0  6b 27 00 00 00 00 01 00-78 00 62 00 00 00 00 00  k'......x.b.....
c431a5c0  69 27 00 00 00 00 01 00-e8 33 a3 8f c8 06 db 01  i'.......3......
c431a5d0  a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01  ..H.......H.....
c431a5e0  a4 ac 48 c1 c6 a6 db 01-00 10 00 00 00 00 00 00  ..H.............
c431a5f0  00 04 00 00 00 00 00 00-22 00 00 00 00 00 00 00  ........".......
1: kd> db 0xc431a400+38+60+68+80*2
c431a600  10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a610  73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00  s...d.a.t...L.O.
c431a620  47 00 00 00 00 00 00 00-6b 27 00 00 00 00 01 00  G.......k'......
c431a630  70 00 5a 00 00 00 00 00-69 27 00 00 00 00 01 00  p.Z.....i'......
c431a640  e8 33 a3 8f c8 06 db 01-a4 ac 48 c1 c6 a6 db 01  .3........H.....
c431a650  a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01  ..H.......H.....
c431a660  00 10 00 00 00 00 00 00-00 04 00 00 00 00 00 00  ................
c431a670  22 00 00 00 00 00 00 00-0c 02 55 00 53 00 52 00  ".........U.S.R.
1: kd> db 0xc431a400+38+60+68+80*3
c431a680  43 00 4c 00 41 00 7e 00-31 00 2e 00 4c 00 4f 00  C.L.A.~.1...L.O.
c431a690  47 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  G...............
c431a6a0  10 00 00 00 02 00 00 00-ff ff ff ff 82 79 47 11  .............yG.
c431a6b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c431a6c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c431a6d0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c431a6e0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
c431a6f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68
Ntfs!ATTRIBUTE_RECORD_HEADER
   +0x000 TypeCode         : 0x90
   +0x004 RecordLength     : 0x1a8
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0x4 ''
   +0x00a NameOffset       : 0x18
   +0x00c Flags            : 0
   +0x00e Instance         : 1
   +0x010 Form             : __unnamed
1: kd> dt Attribute_RECORD_HEADER 0xc431a400+38+60+68+1a8
Ntfs!ATTRIBUTE_RECORD_HEADER
   +0x000 TypeCode         : 0xffffffff
   +0x004 RecordLength     : 0x11477982
   +0x008 FormCode         : 0 ''
   +0x009 NameLength       : 0 ''
   +0x00a NameOffset       : 0
   +0x00c Flags            : 0
   +0x00e Instance         : 0
   +0x010 Form             : __unnamed

1: kd>  dt _INDEX_ROOT 0xc431a400+38+60+68+20
Ntfs!_INDEX_ROOT
   +0x000 IndexedAttributeType : 0x30
   +0x004 CollationRule    : 1
   +0x008 BytesPerIndexBuffer : 0x1000
   +0x00c BlocksPerIndexBuffer : 0x1 ''
   +0x00d Reserved         : [3]  ""
   +0x010 IndexHeader      : _INDEX_HEADER
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_INDEX_HEADER *)0xc431a530))
(*((Ntfs!_INDEX_HEADER *)0xc431a530))                 [Type: _INDEX_HEADER]
    [+0x000] FirstIndexEntry  : 0x10 [Type: unsigned long]
    [+0x004] FirstFreeByte    : 0x178 [Type: unsigned long]
    [+0x008] BytesAvailable   : 0x178 [Type: unsigned long]
    [+0x00c] Flags            : 0x0 [Type: unsigned char]
    [+0x00d] Reserved         [Type: unsigned char [3]]


1: kd> dd 0xc431a400+38+60+68+20+20
c431a540  0000276a 00010000 005a0070 00000000
c431a550  00002769 00010000 8fa0d18e 01db06c8
c431a560  c148aca4 01dba6c6 a8e2bafe 01db06c8
c431a570  c148aca4 01dba6c6 00040000 00000000
c431a580  00040000 00000000 00000022 00000000
c431a590  0055030c 00720073 006c0043 00730061
c431a5a0  002e0073 00610064 00000074 00000000
c431a5b0  0000276b 00010000 00620078 00000000
1: kd> dd 0xc431a400+38+60+68+20+20+80
c431a5c0  00002769 00010000 8fa333e8 01db06c8
c431a5d0  c148aca4 01dba6c6 c148aca4 01dba6c6
c431a5e0  c148aca4 01dba6c6 00001000 00000000
c431a5f0  00000400 00000000 00000022 00000000
c431a600  00550110 00720073 006c0043 00730061
c431a610  002e0073 00610064 002e0074 004f004c
c431a620  00000047 00000000 0000276b 00010000
c431a630  005a0070 00000000 00002769 00010000
1: kd> dd 0xc431a400+38+60+68+20+20+80*2
c431a640  8fa333e8 01db06c8 c148aca4 01dba6c6
c431a650  c148aca4 01dba6c6 c148aca4 01dba6c6
c431a660  00001000 00000000 00000400 00000000
c431a670  00000022 00000000 0055020c 00520053
c431a680  004c0043 007e0041 002e0031 004f004c
c431a690  00000047 00000000 00000000 00000000
c431a6a0  00000010 00000002 ffffffff 11477982
c431a6b0  00000000 00000000 00000000 00000000

1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20
Ntfs!_INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x276a
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0

1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc431a540))
(*((Ntfs!_MFT_SEGMENT_REFERENCE *)0xc431a540))                 [Type: _MFT_SEGMENT_REFERENCE]
    [+0x000] SegmentNumberLowPart : 0x276a [Type: unsigned long]
    [+0x004] SegmentNumberHighPart : 0x0 [Type: unsigned short]
    [+0x006] SequenceNumber   : 0x1 [Type: unsigned short]

 

1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70
Ntfs!_INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x276b
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x78
   +0x00a AttributeLength  : 0x62
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70+78
Ntfs!_INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0x276b
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0x10000
   +0x008 Length           : 0x70
   +0x00a AttributeLength  : 0x5a
   +0x00c Flags            : 0
   +0x00e Reserved         : 0
1: kd> dt _INDEX_ENTRY 0xc431a400+38+60+68+20+20+70+78+70
Ntfs!_INDEX_ENTRY
   +0x000 FileReference    : _MFT_SEGMENT_REFERENCE
   +0x000 DataOffset       : 0
   +0x002 DataLength       : 0
   +0x004 ReservedForZero  : 0
   +0x008 Length           : 0x10
   +0x00a AttributeLength  : 0
   +0x00c Flags            : 2
   +0x00e Reserved         : 0


1: kd> db 0xc431a400+38+60+68+20+20
c431a540  6a 27 00 00 00 00 01 00-70 00 5a 00 00 00 00 00  j'......p.Z.....
c431a550  69 27 00 00 00 00 01 00-8e d1 a0 8f c8 06 db 01  i'..............
c431a560  a4 ac 48 c1 c6 a6 db 01-fe ba e2 a8 c8 06 db 01  ..H.............
c431a570  a4 ac 48 c1 c6 a6 db 01-00 00 04 00 00 00 00 00  ..H.............
c431a580  00 00 04 00 00 00 00 00-22 00 00 00 00 00 00 00  ........".......
c431a590  0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a5a0  73 00 2e 00 64 00 61 00-74 00 00 00 00 00 00 00  s...d.a.t.......

MFT参考号    8    6a 27 00 00 00 00 01 00
索引项大小    2    70 00
文件名偏移    2    5a 00
索引标志        2    00 00
保留        2    00 00
父目录MFT参考号    8    69 27 00 00 00 00 01 00
创建时间        8    8e d1 a0 8f c8 06 db 01
修改时间        8    a4 ac 48 c1 c6 a6 db 01
最后修改时间    8    fe ba e2 a8 c8 06 db 01
最后访问时间    8    a4 ac 48 c1 c6 a6 db 01
分配大小        8    00 00 04 00 00 00 00 00
实际大小        8    00 00 04 00 00 00 00 00
标志        4    22 00 00 00
ER        4    00 00 00 00
文件名长度    1    0c
文件命名空间类型    1    03
文件名        


c431a590  0c 03 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a5a0  73 00 2e 00 64 00 61 00-74 00          s...d.a.t.......

    

1: kd> dt _file_name 0xc431a400+38+60+68+20+20+10
Ntfs!_FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0xc ''
   +0x041 Flags            : 0x3 ''
   +0x042 FileName         : [1] 0x55


1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc431a592))
(*((Ntfs!unsigned short (*)[1])0xc431a592))                 [Type: unsigned short [1]]
    [0]              : 0x55 [Type: unsigned short]
1: kd> db 0xc431a592
c431a592  55 00 73 00 72 00 43 00-6c 00 61 00 73 00 73 00  U.s.r.C.l.a.s.s.
c431a5a2  2e 00 64 00 61 00 74 00-00 00 00 00 00 00 6b 27  ..d.a.t.......k'


1: kd> db 0xc431a400+38+60+68+20+20+70
c431a5b0  6b 27 00 00 00 00 01 00-78 00 62 00 00 00 00 00  k'......x.b.....
c431a5c0  69 27 00 00 00 00 01 00-e8 33 a3 8f c8 06 db 01  i'.......3......
c431a5d0  a4 ac 48 c1 c6 a6 db 01-a4 ac 48 c1 c6 a6 db 01  ..H.......H.....
c431a5e0  a4 ac 48 c1 c6 a6 db 01-00 10 00 00 00 00 00 00  ..H.............
c431a5f0  00 04 00 00 00 00 00 00-22 00 00 00 00 00 00 00  ........".......
c431a600  10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a610  73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00  s...d.a.t...L.O.
c431a620  47 00 00 00 00 00 00 00-6b 27 00 00 00 00 01 00  G.......k'......


MFT参考号    8    6b 27 00 00 00 00 01 00
索引项大小    2    78 00
文件名偏移    2    62 00
索引标志        2    00 00
保留        2    00 00
父目录MFT参考号    8    69 27 00 00 00 00 01 00
创建时间        8    e8 33 a3 8f c8 06 db 01
修改时间        8    a4 ac 48 c1 c6 a6 db 01
最后修改时间    8    a4 ac 48 c1 c6 a6 db 01
最后访问时间    8    a4 ac 48 c1 c6 a6 db 01
分配大小        8    00 10 00 00 00 00 00 00
实际大小        8    00 04 00 00 00 00 00 00
标志        4    22 00 00 00
ER        4    00 00 00 00
文件名长度    1    10
文件命名空间类型    1    01
文件名    
c431a600  10 01 55 00 73 00 72 00-43 00 6c 00 61 00 73 00  ..U.s.r.C.l.a.s.
c431a610  73 00 2e 00 64 00 61 00-74 00 2e 00 4c 00 4f 00  s...d.a.t...L.O.
c431a620  47 00                       G.......k'......


1: kd> dt _file_name 0xc431a400+38+60+68+20+20+70+10
Ntfs!_FILE_NAME
   +0x000 ParentDirectory  : _MFT_SEGMENT_REFERENCE
   +0x008 Info             : _DUPLICATED_INFORMATION
   +0x040 FileNameLength   : 0x10 ''
   +0x041 Flags            : 0x1 ''
   +0x042 FileName         : [1] 0x55
1: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!unsigned short (*)[1])0xc431a602))
(*((Ntfs!unsigned short (*)[1])0xc431a602))                 [Type: unsigned short [1]]
    [0]              : 0x55 [Type: unsigned short]
1: kd> db 0xc431a602
c431a602  55 00 73 00 72 00 43 00-6c 00 61 00 73 00 73 00  U.s.r.C.l.a.s.s.
c431a612  2e 00 64 00 61 00 74 00-2e 00 4c 00 4f 00 47 00  ..d.a.t...L.O.G.
c431a622  00 00 00 00 00 00 6b 27-00 00 00 00 01 00 70 00  ......k'......p.      

#define $UNUSED                          (0X0)

#define $STANDARD_INFORMATION            (0x10)
#define $ATTRIBUTE_LIST                  (0x20)
#define $FILE_NAME                       (0x30)
#define $OBJECT_ID                       (0x40)
#define $SECURITY_DESCRIPTOR             (0x50)
#define $VOLUME_NAME                     (0x60)
#define $VOLUME_INFORMATION              (0x70)
#define $DATA                            (0x80)
#define $INDEX_ROOT                      (0x90)
#define $INDEX_ALLOCATION                (0xA0)
#define $BITMAP                          (0xB0)
#define $REPARSE_POINT                   (0xC0)
#define $EA_INFORMATION                  (0xD0)
#define $EA                              (0xE0)
// #define $LOGGED_UTILITY_STREAM           (0x100) // defined in ntfsexp.h
#define $FIRST_USER_DEFINED_ATTRIBUTE    (0x1000)
#define $END                             (0xFFFFFFFF)

第二部分:

BOOLEAN
FindNextIndexEntry (
    IN PIRP_CONTEXT IrpContext,
    IN PSCB Scb,
    IN PVOID Value,
    IN BOOLEAN ValueContainsWildcards,
    IN BOOLEAN IgnoreCase,
    IN OUT PINDEX_CONTEXT IndexContext,
    IN BOOLEAN NextFlag,
    OUT PBOOLEAN MustRestart OPTIONAL
    )
{

            Sp->IndexEntry =
            IndexEntry = NtfsNextIndexEntry( IndexEntry );

#define NtfsNextIndexEntry(IE) (                        \
    (PINDEX_ENTRY)((PCHAR)(IE) + (ULONG)(IE)->Length)   \
    )


#define NtfsFirstIndexEntry(IH) (                       \
    (PINDEX_ENTRY)((PCHAR)(IH) + (IH)->FirstIndexEntry) \
    )

http://www.lryc.cn/news/2383395.html

相关文章:

  • AGI大模型(30):LangChain链的基本使用
  • 代码随想录算法训练营第六十六天| 图论11—卡码网97. 小明逛公园,127. 骑士的攻击
  • [创业之路-364]:企业战略管理案例分析-5-战略制定-宇树科技的使命、愿景、价值观的演变过程
  • React--函数组件和类组件
  • Flask 路由装饰器:从 URL 到视图函数的优雅映射
  • DDoS防护实战——从基础配置到高防IP部署
  • aws平台s3存储桶夸域问题处理
  • HOT100(二叉树)
  • 【vue-text-highlight】在vue2的使用教程
  • pycharm无法正常调试问题
  • springboot3.4.5-springsecurity+session
  • 网络安全利器:蜜罐技术详解
  • Leetcode百题斩-哈希
  • MySQL替换瀚高数据库报错: TO_DAYS()不存在(APP)
  • EXIST与JOIN连表比较
  • 【Linux】利用多路转接epoll机制、ET模式,基于Reactor设计模式实现
  • 【jvm第7集】jvm调优工具(命令行工具)
  • react中运行 npm run dev 报错,提示vite.config.js出现错误 @esbuild/win32-x64
  • 鸿蒙UI开发——Builder与LocalBuilder对比
  • 关于光谱相机的灵敏度
  • Model 速通系列(一)nanoGPT
  • 微信小程序中,一个页面的数据改变了,怎么通知另一个页面也改变?
  • MySQL--day4--排序与分页
  • 自动化测试脚本点击运行后,打开Chrome很久??
  • iOS热更新技术要点与风险分析
  • 系统架构设计(十二):统一过程模型(RUP)
  • 系分论文《论软件系统安全分析和应用》
  • Mac安装redis
  • srs-7.0 支持obs推webrtc流
  • Babylon.js学习之路《七、用户交互:鼠标点击、拖拽与射线检测》