转储$ mft文件的内容 [英] dumping the content of the $mft file

问题描述

对于某些商业项目，我需要能够读取$ mft文件中存储的实际数据.

我发现了一个 gpl lib 可能会有所帮助，但是由于它的gpl，我无法将其集成到我的代码中.

有人可以指出我一个可以使用/或指向相关Windows API的项目(不需要1000行代码即可实现的项目)

顺便说一句，为什么Windows不能简单地让我直接直接读取mft文件? (通过创建文件和读取方法，如果我要破坏驱动器，这是我的生意，而不是女士的生意).

谢谢.

解决方案

只需在\.\ X上使用 CreateFile()打开卷的句柄:X是驱动器号(检查有关CreateFile()的MSDN文档，它在备注"部分中提到了这一点).

将第一个扇区读入NTFS引导记录结构(您可以在线找到它，搜索Richard"Flatcap" Russon，我找到了它，gpl lib that could help, but since its gpl i can't integrate it into my code.

could someone please point me to a project that i could use / or point me at the relevant windows API (something that doesn't require 1000 lines of code to implement)

BTW, why doesn't windows simply allow me to read the mft file directly anyway? (through the create file and the read method, if i want to ruin my drive it's my business not Ms's).

thanks.

解决方案

You just have to open a handle to the volume using CreateFile() on \.\X: where X is the drive letter (check the MSDN documentation on CreateFile(), it mentions this in the Remarks section).

Read the first sector into a NTFS Boot Record structure (you can find it online, search for Richard "Flatcap" Russon, edit: I found it, http://www.flatcap.org/ntfs/ntfs/files/boot.html ). One of the fields in the boot sector structure gives the start location of the MFT in clusters (LCN of VCN 0 of the $MFT), you have to do a SetFilePointer() to that location an read in multiples of sectors. The first 1024 bytes from that location is the file record of the $MFT, again you can parse this structure to find the data attribute which is always non-resident and it's size is the actual size of the MFT file at that time.

The basic structures for $Boot, File Record and basic attributes (Standard Information, File Name and Data) along with the parsing code should run you less than 1000 lines of code.

这篇关于转储$ mft文件的内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！