The parser is wrong. That's not the complete filename. The only bit it's got right is the offset.
of course there's something wrong.. the filename isn't complete… (but this is because the programmer set 'p' and it cut after 30 char in python)
but are u sure that offset is right ? 144 would be the size… however looking at the hex, we see
20 20 00 00 90 00 3C
that is 20 20 = 8224 and 90 = 144…
No, you see 90 00 which is 144, and 3C 00 which is 60. Both those values tally with the data. The bit before isn't the file length or offset.
Perhaps if I give you a table with the values converted to bytes it'll help you to read the data
typedef struct {
4BYTES RecordLength;
2BYTES MajorVersion;
2BYTES MinorVersion;
8BYTES FileReferenceNumber;
8BYTES ParentFileReferenceNumber;
8BYTES Usn;
8BYTES TimeStamp;
4BYTES Reason;
4BYTES SourceInfo;
4BYTES SecurityId;
4BYTES FileAttributes;
2BYTES FileNameLength;
2BYTES FileNameOffset;
ANYTHINGUNDER256BYTES FileName[1];
}
(I called the FileName ANYTHINGUNDER256BYTES as that's what I found a WCHAR to be from a quick Google - don't know how accurate that is - but doesnt really matter as the record length is specified at the start anyway so you can check the end)
you're right, man… ok, so the only problem i have to understand is why the parser took that 20 20.. actually it doesn't read 3C
Probably be easier to write your own parser 😉
infact my goal is to write a serious parser… i'm writing it, and for the "engine" i looked at that one…. (that is incorrect, it doesn't parse many entry and other errors)..
however, i'll undestand why it took 2020 as size looking at the byte-table u posted, and then i'm near to finish… i'll be nice )
Heh, don't blame you. I've thought this file is under-used in general, and never got round to writing a parser myself (as my coding is pretty rubbish and out of date). But parsing the entries and all their reason codes, and then filtering it etc, I think you could get a lot of very useful info from it. So good luck. One day I might get round to doing the same! p
when i'll finish i'll post online it, so u can use mine,if u need ) but i'll finish only when it will be 100% right ! )thank you!
hi, i'm posting again on this topic cause i have a question for you…
in the strucutre, the 4th voice si MFT Reference (8byte). This is NON the MFT number, but only a reference.
Now, what is this reference ? how can i use it ?
and more important… i tried and if don't take the 2 most significative byte, i obtain the MFT entry number… is it possibile? why ??
Thanks