Notifications
Clear all

NTFS ins and outs

75 Posts
10 Users
0 Likes
4,821 Views
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

While on topic of compression, I'm obviously not going to re-invent decompression of LZNT1.
Does anybody know what libraries are out there that do this ? And allow me to use it in a commercial product of course.

 
Posted : 13/02/2012 3:49 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

Considering the speed by which you have digested ntfs so far, I'm sure it takes you about 5 min to implement RtlDecompressBuffer to your app. I made one myself here; http//reboot.pro/files/file/121-lznt1-tools-bootmgrntfs/ It only a few lines of extra code to decompress.

 
Posted : 13/02/2012 6:16 pm
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

Thanks Joakim.

I'm going to look into this later this week !! First a few other things on my list to do so that I can put my translators to work !!

Cheers !!

 
Posted : 13/02/2012 6:20 pm
 Ddan
(@ddan)
Posts: 42
Eminent Member
 

>I take it, as a for-now solution, compressed files can't be simply decompressed by a third party app ? E.g. if I were to add .zip or something to the extension *for now* so that a third party app can be used to look inside and decompress the file ?

I'm sure they can be decompressed externally. My view though is that compression is an integral part of NTFS. It occurs naturally, ie not selected by the user, in some system areas such as restore points. I guess I just don't see the value of giving the average user of IsoBuster a file that isn't correct without some fairly heavy qualifications.

As Joakim has pointed out, it is relatively easy to implement using the Apis. You can find a C coded method, not using Apis, in the Linux NTFS project.

I think I have noticed another problem though, are you only handling the XP style mft records? I ask this because I have an image from what was a working XP Pro (SP3) installation which has both NT style and XP style records which appear to co-exist. I have no idea how this came about, and I was surprised to see it, but it is not safe to assume that records might be one type or the other.

Ddan

 
Posted : 14/02/2012 9:11 am
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

huh ? -)

XP style MFT records ?
NT style MFT records ?

I'm only aware of one type, whatever that type is. I'm guessing XP style since it works on my WinVISTA PC installation and my XP .vmdk files !

What's the difference between the two ? How to detect and what differences to take in account ?

 
Posted : 14/02/2012 1:26 pm
 Ddan
(@ddan)
Posts: 42
Eminent Member
 

Main difference is that the NT style record has a header length of 0x30, and XP has 0x38. These lengths are at offset 0x14 in the header. The extra bytes in the XP style record contains the mft record number for the current record. The NT style does not have this value. The fixup bytes are also at a different offset. The uint16 at 0x04 gives the offset to the fixup array.

Ddan

 
Posted : 14/02/2012 2:27 pm
(@joethomas)
Posts: 65
Trusted Member
 

To spot the difference between the two, XP MFT entries have a FILE0 header and the older NT ones have a FILE* header.

 
Posted : 14/02/2012 2:38 pm
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

Thanks guys.

I have nothing NT-ish handy anymore. Can somebody point me to an NT image available on the net somewhere ?
It's easier to implement if I can actually see it while coding.

> The NT style does not have this value

Good to know because I check that value ! An NT style MFT will not be accepted then by my current code.
Is that what you noticed Ddan ?

Other than that I think I have it covered. I already check the WORD at 0x04 to determine where the fixup values are.

I can check the offset of the first attribute value at 0x14 to see if I'm dealing with an MFT *with* record number or *without* record number

> XP MFT entries have a FILE0 header and the older NT ones have a FILE* header.

I'm not sure I get that Joe ? This would mean that the offset of fixup array value is stored in a BYTE, not a WORD, and that the FILE signature is located in 5 bytes, not 4 ?
Or am I misunderstanding what you meant ?

 
Posted : 14/02/2012 5:40 pm
(@joethomas)
Posts: 65
Trusted Member
 

> XP MFT entries have a FILE0 header and the older NT ones have a FILE* header.

I'm not sure I get that Joe ? This would mean that the offset of fixup array value is stored in a BYTE, not a WORD, and that the FILE signature is located in 5 bytes, not 4 ?
Or am I misunderstanding what you meant ?

No, it's just an easy way to spot the difference if viewing them manually since the XP offset to the update sequence is always 0x30 (ASCII "0") and the NT offset is always 0x2A ("*"). The header itself is just the first 4 bytes as you say and is either FILE or BAAD.

 
Posted : 14/02/2012 6:41 pm
CyberGonzo
(@cybergonzo)
Posts: 100
Estimable Member
Topic starter
 

Cool.

BAAD ?
Again something new ?
Can you explain ? When is BAAD used ?

 
Posted : 14/02/2012 6:43 pm
Page 5 / 8
Share: