No actually i think you name some command line and GUI programs for this one.
Does anyone know where i can find examples of BackupRead and BackupSeek being used to view ADS's with C or C++?
ForensicFocus…the site where people who can't do there own Google searches come to get others to do the searches for them…
http//
http//
http//
ForensicFocus…the site where people who can't do there own Google searches come to get others to do the searches for them…
Harlan,
Perhaps I can take this opportunity to clarify the following.
The driving force behind this site is a desire to create a community which is welcoming, supportive and above all useful to its membership. In order to achieve that goal it's important that long standing members are happy to share their knowledge in such a manner that new and prospective members feel able to post without undue fear of criticism.
While I share your frustration on those occasions when members might carry out a little more of their own research, there is NEVER a good reason to post a derogatory comment of this nature. Doing so simply makes it much harder for others to post and hinders the exchange of information.
We've been over this ground before, I don't expect to do so again.
Jamie
Sorry, Jamie, you're right…I'll put the spoon away, and I do sincerely apologize to you.
Contritely,
H
Good stuff, let's move on.
i have attempted to compile the code from this second link in DEV C++ compiler.
http//
#include <precomp.h>
#ifndef _NO_WIN_FS
//#include "winfs.h"
int ScanNTFSStreams(Entry* entry, HANDLE hFile)
{
PVOID ctx = 0;
DWORD read, seek_high;
Entry** pnext = &entry->_down;
int cnt = 0;
for(;;) {
struct NTFS_StreamHdr public WIN32_STREAM_ID {
WCHAR name_padding[_MAX_FNAME]; // room for reading stream name
} hdr;
if (!BackupRead(hFile, (LPBYTE)&hdr, (LPBYTE)&hdr.cStreamName-(LPBYTE)&hdr, &read, FALSE, FALSE, &ctx) ||
(long)read!=(LPBYTE)&hdr.cStreamName-(LPBYTE)&hdr)
break;
if (hdr.dwStreamId == BACKUP_ALTERNATE_DATA) {
if (hdr.dwStreamNameSize &&
BackupRead(hFile, (LPBYTE)hdr.cStreamName, hdr.dwStreamNameSize, &read, FALSE, FALSE, &ctx) &&
read==hdr.dwStreamNameSize)
{
++cnt;
int l = hdr.dwStreamNameSize / sizeof(WCHAR);
LPCWSTR p = hdr.cStreamName;
LPCWSTR e = hdr.cStreamName + l;
if (l>0 && *p=='') {
++p, --l;
e = p;
while(l>0 && *e!='')
++e, --l;
l = e - p;
}
Entry* stream_entry = new WinEntry(entry);
memcpy(&stream_entry->_data, &entry->_data, sizeof(WIN32_FIND_DATA));
lstrcpy(stream_entry->_data.cFileName, String(p, l));
stream_entry->_down = NULL;
stream_entry->_expanded = false;
stream_entry->_scanned = false;
stream_entry->_level = entry->_level + 1;
*pnext = stream_entry;
pnext = &stream_entry->_next;
}
}
// jump to the next stream header
if (!BackupSeek(hFile, ~0, ~0, &read, &seek_high, &ctx)) {
DWORD error = GetLastError();
if (error != ERROR_SEEK) {
BackupRead(hFile, 0, 0, &read, TRUE, FALSE, &ctx); // terminate BackupRead() loop
THROW_EXCEPTION(error);
//break;
}
hdr.Size.QuadPart -= read;
hdr.Size.HighPart -= seek_high;
BYTE buffer[4096];
while(hdr.Size.QuadPart > 0) {
if (!BackupRead(hFile, buffer, sizeof(buffer), &read, FALSE, FALSE, &ctx) || read!=sizeof(buffer))
break;
hdr.Size.QuadPart -= read;
}
}
}
if (ctx)
if (!BackupRead(hFile, 0, 0, &read, TRUE, FALSE, &ctx)) // terminate BackupRead() loop
THROW_EXCEPTION(GetLastError());
return cnt;
}
void WinDirectoryread_directory(int scan_flags)
{
CONTEXT("WinDirectoryread_directory()");
int level = _level + 1;
Entry* first_entry = NULL;
Entry* last = NULL;
Entry* entry;
LPCTSTR path = (LPCTSTR)_path;
TCHAR buffer[MAX_PATH], *pname;
for(pname=buffer; *path; )
*pname++ = *path++;
lstrcpy(pname, TEXT("\\*"));
WIN32_FIND_DATA w32fd;
HANDLE hFind = FindFirstFile(buffer, &w32fd);
if (hFind != INVALID_HANDLE_VALUE) {
do {
lstrcpy(pname+1, w32fd.cFileName);
if (w32fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
entry = new WinDirectory(this, buffer);
else
entry = new WinEntry(this);
if (!first_entry)
first_entry = entry;
if (last)
last->_next = entry;
memcpy(&entry->_data, &w32fd, sizeof(WIN32_FIND_DATA));
entry->_level = level;
// display file type names, but don't hide file extensions
g_Globals._ftype_mgr.set_type(entry, true);
if (!(scan_flags & SCAN_DONT_ACCESS)) {
HANDLE hFile = CreateFile(buffer, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
0, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0);
if (hFile != INVALID_HANDLE_VALUE) {
if (GetFileInformationByHandle(hFile, &entry->_bhfi))
entry->_bhfi_valid = true;
if (ScanNTFSStreams(entry, hFile))
entry->_scanned = true; // There exist named NTFS sub-streams in this file.
CloseHandle(hFile);
}
}
last = entry; // There is always at least one entry, because FindFirstFile() succeeded and we don't filter the file entries.
} while(FindNextFile(hFind, &w32fd));
if (last)
last->_next = NULL;
FindClose(hFind);
}
_down = first_entry;
_scanned = true;
}
const void* WinDirectoryget_next_path_component(const void* p) const
{
LPCTSTR s = (LPCTSTR) p;
while(*s && *s!=TEXT('\\') && *s!=TEXT('/'))
++s;
while(*s==TEXT('\\') || *s==TEXT('/'))
++s;
if (!*s)
return NULL;
return s;
}
Entry* WinDirectoryfind_entry(const void* p)
{
LPCTSTR name = (LPCTSTR)p;
for(Entry*entry=_down; entry; entry=entry->_next) {
LPCTSTR p = name;
LPCTSTR q = entry->_data.cFileName;
do {
if (!*p || *p==TEXT('\\') || *p==TEXT('/'))
return entry;
} while(tolower(*p++) == tolower(*q++));
p = name;
q = entry->_data.cAlternateFileName;
do {
if (!*p || *p==TEXT('\\') || *p==TEXT('/'))
return entry;
} while(tolower(*p++) == tolower(*q++));
}
return NULL;
}
// get full path of specified directory entry
bool WinEntryget_path(PTSTR path, size_t path_count) const
{
return get_path_base(path, path_count, ET_WINDOWS);
}
ShellPath WinEntrycreate_absolute_pidl() const
{
CONTEXT("WinEntrycreate_absolute_pidl()");
TCHAR path[MAX_PATH];
if (get_path(path, COUNTOF(path)))
return ShellPath(path);
return ShellPath();
}
#endif // _NO_WIN_FS
i get numerous errors including
" precomp.h No such file or directory "
" Entry was not declared in this scope "
" HANDLE was not declared in this scope "
Does anyone know what must be done to get this code to compile, what libraries to include etc ?. It looks quite interesting
thanks for any advice
here is a *really* good article on programming alternate data streams and it includes sample code in C++ and working sample programs.
http//
nice link nabiy
I downloaded and tried to compile the list streams source and included the header file as instructed, but there are errors
'main' must return 'int'
In function int main(..)';
'GetFileSzEx' has not been declared
i included the snippet of code they said to put before a certain function aswell but still no success…