-
-
[旧帖]
[求助]WINHEX 模板 读MFT项的属性
0.00雪花
-
发表于:
2012-9-8 11:13
1271
-
[旧帖] [求助]WINHEX 模板 读MFT项的属性
0.00雪花
template "MFT的所有属性"
description "适用于NTFS "
begin
char[4] "签名"
uint16 "更新序列号的偏移"
uint16 "更新序列号数组的个数"
int64 "日志序列号"
uint16 "序列号"
uint16 "硬链接计数 "
hexadecimal uint16 "到第一个属性偏移地址"
hex 2 "标记 "
uint32 "MFT项逻辑长度"
uint32 "MFT项物理长度"
int64 "基础记录 (0: 自身)"
uint16 "下一个属性 ID"
uint16 "边界"
uint32 "MFT记录编号"
int64 "更新序列号数组"
goto "到第一个属性偏移地址"
//循环属性与goto无关
{
endsection //一行间隔
//显示属性,常规和非常规
hexadecimal uint32 "属性类型"
IfEqual "属性类型" 4294967295 //最后一个属性是0xffffffff
ExitLoop //味一的循环结束条件
EndIf
hexadecimal uint32 "LengthOfProper"
IFEqual "LengthOfProper" 0
ExitLoop
EndIF
uint8 "非驻留属性标识"
uint8 "属性名长度"
uint16 "属性名位置偏移"
uint16 "处理标志"
uint16 "属性ID"
IfEqual "非驻留属性标识" 0
uint32 "ProLen"
uint16 "属性内容位于属性头的偏移"
uint8 "索引标志"
uint8 "无意义"
Else //非
int64 "簇流起始VCN"
int64 "簇流结束VCN"
uint16 "簇流列表位于属性头的偏移"
uint16 "压缩单位的大小"
uint32 "没使用"
int64 "属性内容逻辑长度"
int64 "属性内容物理长度"
int64 "属性内容初始大小"
EndIf
IfEqual "非驻留属性标识" 0 //常驻留
move "ProLen"
Else //非常驻
move "LengthOfProper"
move -56
EndIf
}[20] //arbitrary number to avoid infinite loops
end
谁能告诉我哪写错了呀?
[课程]Android-CTF解题方法汇总!
