3 * - By John Hodge (thePowersGang)
6 * - NTFS on-disk structures
11 typedef struct sNTFS_BootSector tNTFS_BootSector;
13 struct sNTFS_BootSector
17 Uint8 SystemID[8]; // = "NTFS "
18 Uint16 BytesPerSector;
19 Uint8 SectorsPerCluster;
23 Uint8 MediaDescriptor;
25 Uint16 SectorsPerTrack;
30 Uint32 _unknown; // Usually 0x00800080 (according to Linux docs)
33 Uint64 TotalSectorCount; // Size of volume in sectors
34 Uint64 MFTStart; // Logical Cluster Number of Cluster 0 of MFT
35 Uint64 MFTMirrorStart; // Logical Cluster Number of Cluster 0 of MFT Backup
38 // If either of these are -ve, the size can be obtained via
39 // SizeInBytes = 2^(-1 * Value)
40 Sint8 ClustersPerMFTRecord;
42 Sint8 ClustersPerIndexRecord;
47 Uint8 Padding[512-0x50];
52 * FILE header, an entry in the MFT
54 typedef struct sNTFS_FILE_Header
56 Uint32 Magic; // 'FILE'
57 Uint16 UpdateSequenceOfs;
58 Uint16 UpdateSequenceSize; // Size in words of the UpdateSequenceArray
60 Uint64 LSN; // $LogFile Sequence Number
62 Uint16 SequenceNumber;
64 Uint16 FirstAttribOfs; // Size of header?
65 Uint16 Flags; // 0: In Use, 1: Directory
67 Uint32 RecordSize; // Real Size of FILE Record
68 Uint32 RecordSpace; // Allocated Size for FILE Record
71 * Base address of the MFT containing this record
73 Uint64 Reference; // "File reference to the base FILE record" ???
81 Uint16 RecordNumber; // Number of this MFT Record
82 Uint16 UpdateSequenceNumber;
83 Uint16 UpdateSequenceArray[];
86 Uint16 UpdateSequenceNumber;
87 Uint16 UpdateSequenceArray[];
91 } PACKED tNTFS_FILE_Header;
94 * File Attribute, follows the FILE header
96 typedef struct sNTFS_FILE_Attrib
98 Uint32 Type; // See eNTFS_FILE_Attribs
99 Uint32 Size; // Includes header
101 Uint8 NonresidentFlag;
104 Uint16 Flags; // 0: Compressed, 14: Encrypted, 15: Sparse
110 Uint32 AttribLen; // In words
115 Uint16 Name[]; // UTF-16
119 Uint64 StartingVCN; // VCN of first data run
120 Uint64 LastVCN; // Last VCN in data runs
122 Uint16 CompressionUnitSize;
124 Uint64 AllocatedSize; // Allocated clusters in bytes
126 Uint64 InitiatedSize; // One assumes, ammount of actual data stored
127 Uint16 Name[]; // UTF-16
131 } PACKED tNTFS_FILE_Attrib;
133 #include "attributes.h"
135 typedef struct sNTFS_IndexHeader tNTFS_IndexHeader;
136 typedef struct sNTFS_IndexEntry_Filename tNTFS_IndexEntry_Filename;
138 struct sNTFS_IndexHeader
140 Uint32 Magic; // = 'INDX' LE
141 Uint16 UpdateSequenceOfs;
142 Uint16 UpdateSequenceSize; // incl number
143 Uint64 LogFileSequenceNum;
145 Uint32 EntriesOffset; // add 0x18
146 Uint32 EntriesSize; // (maybe) add 0x18
147 Uint32 EntriesAllocSize;
148 Uint8 Flags; // [0]: Not leaf node
150 Uint16 UpdateSequence;
151 Uint16 UpdateSequenceArray[];
154 #define NTFS_IndexFlag_HasSubNode 0x01
155 #define NTFS_IndexFlag_IsLast 0x02
157 struct sNTFS_IndexEntry
162 Uint16 IndexFlags; // [0]: Points to sub-node, [1]: Last entry in node
165 struct sNTFS_IndexEntry_Filename
170 Uint16 IndexFlags; // [0]: Points to sub-node, [1]: Last entry in node
174 struct sNTFS_Attrib_Filename Filename;
176 Uint64 ParentMFTReference;
178 Uint64 ModifcationTime;
186 Uint8 FilenameNamespace;