2014-01-08 05:03:52 +01:00
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
;; ;;
|
|
|
|
;; Copyright (C) KolibriOS team 2004-2013. All rights reserved. ;;
|
|
|
|
;; Distributed under terms of the GNU General Public License ;;
|
|
|
|
;; ;;
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
|
2014-09-12 21:16:32 +02:00
|
|
|
$Revision: 5089 $
|
2014-01-08 05:03:52 +01:00
|
|
|
|
|
|
|
struct NTFS PARTITION
|
|
|
|
Lock MUTEX ? ; currently operations with one partition
|
|
|
|
; can not be executed in parallel since the
|
|
|
|
; legacy code is not ready; this mutex guards
|
|
|
|
; all operations
|
|
|
|
sectors_per_cluster dd ?
|
|
|
|
mft_cluster dd ?
|
|
|
|
mftmirr_cluster dd ?
|
|
|
|
frs_size dd ? ; FRS size in bytes
|
|
|
|
iab_size dd ? ; IndexAllocationBuffer size in bytes
|
|
|
|
frs_buffer dd ?
|
|
|
|
iab_buffer dd ?
|
|
|
|
mft_retrieval dd ?
|
|
|
|
mft_retrieval_size dd ?
|
|
|
|
mft_retrieval_alloc dd ?
|
|
|
|
mft_retrieval_end dd ?
|
|
|
|
cur_index_size dd ?
|
|
|
|
cur_index_buf dd ?
|
|
|
|
|
|
|
|
ntfs_cur_attr dd ?
|
|
|
|
ntfs_cur_iRecord dd ?
|
|
|
|
ntfs_cur_offs dd ? ; in sectors
|
|
|
|
ntfs_cur_size dd ? ; in sectors
|
|
|
|
ntfs_cur_buf dd ?
|
|
|
|
ntfs_cur_read dd ? ; [output]
|
|
|
|
ntfs_bCanContinue db ?
|
|
|
|
rb 3
|
|
|
|
|
|
|
|
cur_subnode_size dd ?
|
|
|
|
ntfs_attr_iRecord dd ?
|
|
|
|
ntfs_attr_iBaseRecord dd ?
|
|
|
|
ntfs_attr_offs dd ?
|
|
|
|
ntfs_attr_list dd ?
|
|
|
|
ntfs_attr_size dq ?
|
|
|
|
ntfs_cur_tail dd ?
|
|
|
|
|
|
|
|
ntfs_attrlist_buf rb 0x400
|
|
|
|
ntfs_attrlist_mft_buf rb 0x400
|
|
|
|
ntfs_bitmap_buf rb 0x400
|
|
|
|
ends
|
|
|
|
|
|
|
|
iglobal
|
|
|
|
align 4
|
|
|
|
ntfs_user_functions:
|
|
|
|
dd ntfs_free
|
|
|
|
dd (ntfs_user_functions_end - ntfs_user_functions - 4) / 4
|
|
|
|
dd ntfs_Read
|
|
|
|
dd ntfs_ReadFolder
|
|
|
|
dd ntfs_Rewrite
|
|
|
|
dd ntfs_Write
|
|
|
|
dd ntfs_SetFileEnd
|
|
|
|
dd ntfs_GetFileInfo
|
|
|
|
dd ntfs_SetFileInfo
|
|
|
|
dd 0
|
|
|
|
dd ntfs_Delete
|
|
|
|
dd ntfs_CreateFolder
|
|
|
|
ntfs_user_functions_end:
|
|
|
|
endg
|
|
|
|
|
|
|
|
ntfs_test_bootsec:
|
|
|
|
; in: ebx->buffer, edx=size of partition
|
|
|
|
; out: CF set <=> invalid
|
|
|
|
; 1. Name=='NTFS '
|
|
|
|
cmp dword [ebx+3], 'NTFS'
|
|
|
|
jnz .no
|
|
|
|
cmp dword [ebx+7], ' '
|
|
|
|
jnz .no
|
|
|
|
; 2. Number of bytes per sector is the same as for physical device
|
|
|
|
; (that is, 0x200 for hard disk)
|
|
|
|
cmp word [ebx+11], 0x200
|
|
|
|
jnz .no
|
|
|
|
; 3. Number of sectors per cluster must be power of 2
|
|
|
|
movzx eax, byte [ebx+13]
|
|
|
|
dec eax
|
|
|
|
js .no
|
|
|
|
test al, [ebx+13]
|
|
|
|
jnz .no
|
|
|
|
; 4. FAT parameters must be zero
|
|
|
|
cmp word [ebx+14], 0
|
|
|
|
jnz .no
|
|
|
|
cmp dword [ebx+16], 0
|
|
|
|
jnz .no
|
|
|
|
cmp byte [ebx+20], 0
|
|
|
|
jnz .no
|
|
|
|
cmp word [ebx+22], 0
|
|
|
|
jnz .no
|
|
|
|
cmp dword [ebx+32], 0
|
|
|
|
jnz .no
|
|
|
|
; 5. Number of sectors <= partition size
|
|
|
|
cmp dword [ebx+0x2C], 0
|
|
|
|
ja .no
|
|
|
|
cmp [ebx+0x28], edx
|
|
|
|
ja .no
|
|
|
|
; 6. $MFT and $MFTMirr clusters must be within partition
|
|
|
|
cmp dword [ebx+0x34], 0
|
|
|
|
ja .no
|
|
|
|
push edx
|
|
|
|
movzx eax, byte [ebx+13]
|
|
|
|
mul dword [ebx+0x30]
|
|
|
|
test edx, edx
|
|
|
|
pop edx
|
|
|
|
jnz .no
|
|
|
|
cmp eax, edx
|
|
|
|
ja .no
|
|
|
|
cmp dword [ebx+0x3C], 0
|
|
|
|
ja .no
|
|
|
|
push edx
|
|
|
|
movzx eax, byte [ebx+13]
|
|
|
|
mul dword [ebx+0x38]
|
|
|
|
test edx, edx
|
|
|
|
pop edx
|
|
|
|
jnz .no
|
|
|
|
cmp eax, edx
|
|
|
|
ja .no
|
|
|
|
; 7. Clusters per FRS must be either negative and in [-31,-9] or positive and power of 2
|
|
|
|
movsx eax, byte [ebx+0x40]
|
|
|
|
cmp al, -31
|
|
|
|
jl .no
|
|
|
|
cmp al, -9
|
|
|
|
jle @f
|
|
|
|
dec eax
|
|
|
|
js .no
|
|
|
|
test [ebx+0x40], al
|
|
|
|
jnz .no
|
|
|
|
@@:
|
|
|
|
; 8. Same for clusters per IndexAllocationBuffer
|
|
|
|
movsx eax, byte [ebx+0x44]
|
|
|
|
cmp al, -31
|
|
|
|
jl .no
|
|
|
|
cmp al, -9
|
|
|
|
jle @f
|
|
|
|
dec eax
|
|
|
|
js .no
|
|
|
|
test [ebx+0x44], al
|
|
|
|
jnz .no
|
|
|
|
@@:
|
|
|
|
; OK, this is correct NTFS bootsector
|
|
|
|
clc
|
|
|
|
ret
|
|
|
|
.no:
|
|
|
|
; No, this bootsector isn't NTFS
|
|
|
|
stc
|
|
|
|
ret
|
|
|
|
|
|
|
|
proc ntfs_create_partition
|
2014-09-12 21:16:32 +02:00
|
|
|
cmp dword [esi+DISK.MediaInfo.SectorSize], 512
|
|
|
|
jnz .nope
|
2014-01-08 05:03:52 +01:00
|
|
|
mov edx, dword [ebp+PARTITION.Length]
|
|
|
|
cmp dword [esp+4], 0
|
|
|
|
jz .boot_read_ok
|
|
|
|
add ebx, 512
|
|
|
|
lea eax, [edx-1]
|
|
|
|
call fs_read32_sys
|
|
|
|
test eax, eax
|
|
|
|
jnz @f
|
|
|
|
call ntfs_test_bootsec
|
|
|
|
jnc .ntfs_setup
|
|
|
|
@@:
|
|
|
|
mov eax, edx
|
|
|
|
shr eax, 1
|
|
|
|
call fs_read32_sys
|
|
|
|
test eax, eax
|
|
|
|
jnz .nope ; no chance...
|
|
|
|
.boot_read_ok:
|
|
|
|
call ntfs_test_bootsec
|
|
|
|
jnc .ntfs_setup
|
|
|
|
.nope:
|
|
|
|
xor eax, eax
|
|
|
|
jmp .exit
|
|
|
|
|
|
|
|
.ntfs_setup:
|
|
|
|
; By given bootsector, initialize some NTFS variables
|
|
|
|
movi eax, sizeof.NTFS
|
|
|
|
call malloc
|
|
|
|
test eax, eax
|
|
|
|
jz .exit
|
|
|
|
mov ecx, dword [ebp+PARTITION.FirstSector]
|
|
|
|
mov dword [eax+NTFS.FirstSector], ecx
|
|
|
|
mov ecx, dword [ebp+PARTITION.FirstSector+4]
|
|
|
|
mov dword [eax+NTFS.FirstSector+4], ecx
|
|
|
|
mov ecx, dword [ebp+PARTITION.Length]
|
|
|
|
mov dword [eax+NTFS.Length], ecx
|
|
|
|
mov ecx, dword [ebp+PARTITION.Length+4]
|
|
|
|
mov dword [eax+NTFS.Length+4], ecx
|
|
|
|
mov ecx, [ebp+PARTITION.Disk]
|
|
|
|
mov [eax+NTFS.Disk], ecx
|
|
|
|
mov [eax+NTFS.FSUserFunctions], ntfs_user_functions
|
|
|
|
push ebx ebp esi
|
|
|
|
mov ebp, eax
|
|
|
|
|
|
|
|
lea ecx, [ebp+NTFS.Lock]
|
|
|
|
call mutex_init
|
|
|
|
|
|
|
|
movzx eax, byte [ebx+13]
|
|
|
|
mov [ebp+NTFS.sectors_per_cluster], eax
|
|
|
|
mov eax, [ebx+0x28]
|
|
|
|
mov dword [ebp+NTFS.Length], eax
|
|
|
|
and dword [ebp+NTFS.Length+4], 0
|
|
|
|
mov eax, [ebx+0x30]
|
|
|
|
mov [ebp+NTFS.mft_cluster], eax
|
|
|
|
mov eax, [ebx+0x38]
|
|
|
|
mov [ebp+NTFS.mftmirr_cluster], eax
|
|
|
|
movsx eax, byte [ebx+0x40]
|
|
|
|
test eax, eax
|
|
|
|
js .1
|
|
|
|
mul [ebp+NTFS.sectors_per_cluster]
|
|
|
|
shl eax, 9
|
|
|
|
jmp .2
|
|
|
|
.1:
|
|
|
|
neg eax
|
|
|
|
mov ecx, eax
|
|
|
|
mov eax, 1
|
|
|
|
shl eax, cl
|
|
|
|
.2:
|
|
|
|
mov [ebp+NTFS.frs_size], eax
|
|
|
|
movsx eax, byte [ebx+0x44]
|
|
|
|
test eax, eax
|
|
|
|
js .3
|
|
|
|
mul [ebp+NTFS.sectors_per_cluster]
|
|
|
|
shl eax, 9
|
|
|
|
jmp .4
|
|
|
|
.3:
|
|
|
|
neg eax
|
|
|
|
mov ecx, eax
|
|
|
|
mov eax, 1
|
|
|
|
shl eax, cl
|
|
|
|
.4:
|
|
|
|
mov [ebp+NTFS.iab_size], eax
|
|
|
|
; allocate space for buffers
|
|
|
|
add eax, [ebp+NTFS.frs_size]
|
|
|
|
push eax
|
|
|
|
call kernel_alloc
|
|
|
|
test eax, eax
|
|
|
|
jz .fail_free
|
|
|
|
mov [ebp+NTFS.frs_buffer], eax
|
|
|
|
add eax, [ebp+NTFS.frs_size]
|
|
|
|
mov [ebp+NTFS.iab_buffer], eax
|
|
|
|
; read $MFT disposition
|
|
|
|
mov eax, [ebp+NTFS.mft_cluster]
|
|
|
|
mul [ebp+NTFS.sectors_per_cluster]
|
|
|
|
call ntfs_read_frs_sector
|
|
|
|
test eax, eax
|
|
|
|
jnz .usemirr
|
|
|
|
cmp dword [ebx], 'FILE'
|
|
|
|
jnz .usemirr
|
|
|
|
call ntfs_restore_usa_frs
|
|
|
|
jnc .mftok
|
|
|
|
.usemirr:
|
|
|
|
mov eax, [ebp+NTFS.mftmirr_cluster]
|
|
|
|
mul [ebp+NTFS.sectors_per_cluster]
|
|
|
|
call ntfs_read_frs_sector
|
|
|
|
test eax, eax
|
|
|
|
jnz @f
|
|
|
|
cmp dword [ebx], 'FILE'
|
|
|
|
jnz @f
|
|
|
|
call ntfs_restore_usa_frs
|
|
|
|
jnc .mftok
|
|
|
|
@@:
|
|
|
|
; $MFT and $MFTMirr invalid!
|
|
|
|
.fail_free_frs:
|
|
|
|
push [ebp+NTFS.frs_buffer]
|
|
|
|
call kernel_free
|
|
|
|
.fail_free:
|
|
|
|
mov eax, ebp
|
|
|
|
call free
|
|
|
|
xor eax, eax
|
|
|
|
.pop_exit:
|
|
|
|
pop esi ebp ebx
|
|
|
|
.exit:
|
|
|
|
cmp dword [esp+4], 0
|
|
|
|
jz @f
|
|
|
|
sub ebx, 512
|
|
|
|
@@:
|
|
|
|
ret
|
|
|
|
.fail_free_mft:
|
|
|
|
push [ebp+NTFS.mft_retrieval]
|
|
|
|
call kernel_free
|
|
|
|
jmp .fail_free_frs
|
|
|
|
.mftok:
|
|
|
|
; read $MFT table retrieval information
|
|
|
|
; start with one page, increase if not enough (when MFT too fragmented)
|
|
|
|
push ebx
|
|
|
|
push 0x1000
|
|
|
|
call kernel_alloc
|
|
|
|
pop ebx
|
|
|
|
test eax, eax
|
|
|
|
jz .fail_free_frs
|
|
|
|
mov [ebp+NTFS.mft_retrieval], eax
|
|
|
|
and [ebp+NTFS.mft_retrieval_size], 0
|
|
|
|
mov [ebp+NTFS.mft_retrieval_alloc], 0x1000/8
|
|
|
|
; $MFT base record must contain unnamed non-resident $DATA attribute
|
|
|
|
movzx eax, word [ebx+14h]
|
|
|
|
add eax, ebx
|
|
|
|
.scandata:
|
|
|
|
cmp dword [eax], -1
|
|
|
|
jz .fail_free_mft
|
|
|
|
cmp dword [eax], 0x80
|
|
|
|
jnz @f
|
|
|
|
cmp byte [eax+9], 0
|
|
|
|
jz .founddata
|
|
|
|
@@:
|
|
|
|
add eax, [eax+4]
|
|
|
|
jmp .scandata
|
|
|
|
.founddata:
|
|
|
|
cmp byte [eax+8], 0
|
|
|
|
jz .fail_free_mft
|
|
|
|
; load first portion of $DATA attribute retrieval information
|
|
|
|
mov edx, [eax+0x18]
|
|
|
|
mov [ebp+NTFS.mft_retrieval_end], edx
|
|
|
|
mov esi, eax
|
|
|
|
movzx eax, word [eax+0x20]
|
|
|
|
add esi, eax
|
|
|
|
sub esp, 10h
|
|
|
|
.scanmcb:
|
|
|
|
call ntfs_decode_mcb_entry
|
|
|
|
jnc .scanmcbend
|
|
|
|
call .get_mft_retrieval_ptr
|
|
|
|
mov edx, [esp] ; block length
|
|
|
|
mov [eax], edx
|
|
|
|
mov edx, [esp+8] ; block addr (relative)
|
|
|
|
mov [eax+4], edx
|
|
|
|
inc [ebp+NTFS.mft_retrieval_size]
|
|
|
|
jmp .scanmcb
|
|
|
|
.scanmcbend:
|
|
|
|
add esp, 10h
|
|
|
|
; there may be other portions of $DATA attribute in auxiliary records;
|
|
|
|
; if they will be needed, they will be loaded later
|
|
|
|
|
|
|
|
mov [ebp+NTFS.cur_index_size], 0x1000/0x200
|
|
|
|
push 0x1000
|
|
|
|
call kernel_alloc
|
|
|
|
test eax, eax
|
|
|
|
jz .fail_free_mft
|
|
|
|
mov [ebp+NTFS.cur_index_buf], eax
|
|
|
|
|
|
|
|
mov eax, ebp
|
|
|
|
jmp .pop_exit
|
|
|
|
endp
|
|
|
|
|
|
|
|
.get_mft_retrieval_ptr:
|
|
|
|
pushad
|
|
|
|
mov eax, [ebp+NTFS.mft_retrieval_size]
|
|
|
|
cmp eax, [ebp+NTFS.mft_retrieval_alloc]
|
|
|
|
jnz .ok
|
|
|
|
add eax, 0x1000/8
|
|
|
|
mov [ebp+NTFS.mft_retrieval_alloc], eax
|
|
|
|
shl eax, 3
|
|
|
|
push eax
|
|
|
|
call kernel_alloc
|
|
|
|
test eax, eax
|
|
|
|
jnz @f
|
|
|
|
popad
|
|
|
|
add esp, 14h
|
|
|
|
jmp .fail_free_mft
|
|
|
|
@@:
|
|
|
|
mov esi, [ebp+NTFS.mft_retrieval]
|
|
|
|
mov edi, eax
|
|
|
|
mov ecx, [ebp+NTFS.mft_retrieval_size]
|
|
|
|
add ecx, ecx
|
|
|
|
rep movsd
|
|
|
|
push [ebp+NTFS.mft_retrieval]
|
|
|
|
mov [ebp+NTFS.mft_retrieval], eax
|
|
|
|
call kernel_free
|
|
|
|
mov eax, [ebp+NTFS.mft_retrieval_size]
|
|
|
|
.ok:
|
|
|
|
shl eax, 3
|
|
|
|
add eax, [ebp+NTFS.mft_retrieval]
|
|
|
|
mov [esp+28], eax
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
|
|
|
|
proc ntfs_free
|
|
|
|
push ebx
|
|
|
|
xchg ebx, eax
|
|
|
|
stdcall kernel_free, [ebx+NTFS.frs_buffer]
|
|
|
|
stdcall kernel_free, [ebx+NTFS.mft_retrieval]
|
|
|
|
stdcall kernel_free, [ebx+NTFS.cur_index_buf]
|
|
|
|
xchg ebx, eax
|
|
|
|
call free
|
|
|
|
pop ebx
|
|
|
|
ret
|
|
|
|
endp
|
|
|
|
|
|
|
|
proc ntfs_lock
|
|
|
|
lea ecx, [ebp+NTFS.Lock]
|
|
|
|
jmp mutex_lock
|
|
|
|
endp
|
|
|
|
|
|
|
|
proc ntfs_unlock
|
|
|
|
lea ecx, [ebp+NTFS.Lock]
|
|
|
|
jmp mutex_unlock
|
|
|
|
endp
|
|
|
|
|
|
|
|
ntfs_read_frs_sector:
|
|
|
|
push ecx
|
|
|
|
mov ebx, [ebp+NTFS.frs_buffer]
|
|
|
|
push ebx
|
|
|
|
mov ecx, [ebp+NTFS.frs_size]
|
|
|
|
shr ecx, 9
|
|
|
|
push ecx
|
|
|
|
mov ecx, eax
|
|
|
|
@@:
|
|
|
|
mov eax, ecx
|
|
|
|
call fs_read32_sys
|
|
|
|
test eax, eax
|
|
|
|
jnz .fail
|
|
|
|
add ebx, 0x200
|
|
|
|
inc ecx
|
|
|
|
dec dword [esp]
|
|
|
|
jnz @b
|
|
|
|
pop eax
|
|
|
|
.fail:
|
|
|
|
pop ebx
|
|
|
|
pop ecx
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_read_attr:
|
|
|
|
; in: variables in ebp+NTFS.*
|
|
|
|
; out: [ebp+NTFS.ntfs_cur_read]
|
|
|
|
; out: CF=1 => notfound, in this case eax=0 => disk ok, otherwise eax=disk error code
|
|
|
|
xor eax, eax
|
|
|
|
pushad
|
|
|
|
and [ebp+NTFS.ntfs_cur_read], 0
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jnz .nomft
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_attr], 0x80
|
|
|
|
jnz .nomft
|
|
|
|
mov eax, [ebp+NTFS.mft_retrieval_end]
|
|
|
|
inc eax
|
|
|
|
mul [ebp+NTFS.sectors_per_cluster]
|
|
|
|
cmp eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
jbe .nomft
|
|
|
|
; precalculated part of $Mft $DATA
|
|
|
|
mov esi, [ebp+NTFS.mft_retrieval]
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
xor edx, edx
|
|
|
|
div [ebp+NTFS.sectors_per_cluster]
|
|
|
|
; eax = VCN, edx = offset in sectors from beginning of cluster
|
|
|
|
xor ecx, ecx ; ecx will contain LCN
|
|
|
|
.mftscan:
|
|
|
|
add ecx, [esi+4]
|
|
|
|
sub eax, [esi]
|
|
|
|
jb @f
|
|
|
|
add esi, 8
|
|
|
|
push eax
|
|
|
|
mov eax, [ebp+NTFS.mft_retrieval_end]
|
|
|
|
shl eax, 3
|
|
|
|
add eax, [ebp+NTFS.mft_retrieval]
|
|
|
|
cmp eax, esi
|
|
|
|
pop eax
|
|
|
|
jnz .mftscan
|
|
|
|
jmp .nomft
|
|
|
|
@@:
|
|
|
|
push ecx
|
|
|
|
add ecx, eax
|
|
|
|
add ecx, [esi]
|
|
|
|
push eax
|
|
|
|
push edx
|
|
|
|
mov eax, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
mul ecx
|
|
|
|
; eax = sector on partition
|
|
|
|
pop edx
|
|
|
|
add eax, edx
|
|
|
|
mov ebx, [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
pop ecx
|
|
|
|
neg ecx
|
|
|
|
imul ecx, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
sub ecx, edx
|
|
|
|
cmp ecx, [ebp+NTFS.ntfs_cur_size]
|
|
|
|
jb @f
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_size]
|
|
|
|
@@:
|
|
|
|
; ecx = number of sequential sectors to read
|
|
|
|
push eax
|
|
|
|
call fs_read32_sys
|
|
|
|
pop edx
|
|
|
|
test eax, eax
|
|
|
|
jnz .errread
|
|
|
|
add [ebp+NTFS.ntfs_cur_read], 0x200
|
|
|
|
dec [ebp+NTFS.ntfs_cur_size]
|
|
|
|
inc [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
add ebx, 0x200
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], ebx
|
|
|
|
lea eax, [edx+1]
|
|
|
|
loop @b
|
|
|
|
pop ecx
|
|
|
|
xor eax, eax
|
|
|
|
xor edx, edx
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
jz @f
|
|
|
|
add esi, 8
|
|
|
|
push eax
|
|
|
|
mov eax, [ebp+NTFS.mft_retrieval_end]
|
|
|
|
shl eax, 3
|
|
|
|
add eax, [ebp+NTFS.mft_retrieval]
|
|
|
|
cmp eax, esi
|
|
|
|
pop eax
|
|
|
|
jz .nomft
|
|
|
|
jmp .mftscan
|
|
|
|
@@:
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
.errread:
|
|
|
|
pop ecx
|
|
|
|
.errret:
|
|
|
|
mov [esp+28], eax
|
|
|
|
stc
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
.nomft:
|
|
|
|
; 1. Read file record.
|
|
|
|
; N.B. This will do recursive call of read_attr for $MFT::$Data.
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_iRecord]
|
|
|
|
mov [ebp+NTFS.ntfs_attr_iRecord], eax
|
|
|
|
and [ebp+NTFS.ntfs_attr_list], 0
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size], -1
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size+4], -1
|
|
|
|
or [ebp+NTFS.ntfs_attr_iBaseRecord], -1
|
|
|
|
call ntfs_read_file_record
|
|
|
|
jc .errret
|
|
|
|
; 2. Find required attribute.
|
|
|
|
mov eax, [ebp+NTFS.frs_buffer]
|
|
|
|
; a) For auxiliary records, read base record
|
|
|
|
; N.B. If base record is present,
|
|
|
|
; base iRecord may be 0 (for $Mft), but SequenceNumber is nonzero
|
|
|
|
cmp dword [eax+24h], 0
|
|
|
|
jz @f
|
|
|
|
mov eax, [eax+20h]
|
|
|
|
; test eax, eax
|
|
|
|
; jz @f
|
|
|
|
.beginfindattr:
|
|
|
|
mov [ebp+NTFS.ntfs_attr_iRecord], eax
|
|
|
|
call ntfs_read_file_record
|
|
|
|
jc .errret
|
|
|
|
@@:
|
|
|
|
; b) Scan for required attribute and for $ATTR_LIST
|
|
|
|
mov eax, [ebp+NTFS.frs_buffer]
|
|
|
|
movzx ecx, word [eax+14h]
|
|
|
|
add eax, ecx
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_attr]
|
|
|
|
and [ebp+NTFS.ntfs_attr_offs], 0
|
|
|
|
.scanattr:
|
|
|
|
cmp dword [eax], -1
|
|
|
|
jz .scandone
|
|
|
|
cmp dword [eax], ecx
|
|
|
|
jz .okattr
|
|
|
|
cmp [ebp+NTFS.ntfs_attr_iBaseRecord], -1
|
|
|
|
jnz .scancont
|
|
|
|
cmp dword [eax], 0x20 ; $ATTR_LIST
|
|
|
|
jnz .scancont
|
|
|
|
mov [ebp+NTFS.ntfs_attr_list], eax
|
|
|
|
jmp .scancont
|
|
|
|
.okattr:
|
|
|
|
; ignore named $DATA attributes (aka NTFS streams)
|
|
|
|
cmp ecx, 0x80
|
|
|
|
jnz @f
|
|
|
|
cmp byte [eax+9], 0
|
|
|
|
jnz .scancont
|
|
|
|
@@:
|
|
|
|
mov [ebp+NTFS.ntfs_attr_offs], eax
|
|
|
|
.scancont:
|
|
|
|
add eax, [eax+4]
|
|
|
|
jmp .scanattr
|
|
|
|
.continue:
|
|
|
|
pushad
|
|
|
|
and [ebp+NTFS.ntfs_cur_read], 0
|
|
|
|
.scandone:
|
|
|
|
; c) Check for required offset and length
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_attr_offs]
|
|
|
|
jecxz .noattr
|
|
|
|
push [ebp+NTFS.ntfs_cur_size]
|
|
|
|
push [ebp+NTFS.ntfs_cur_read]
|
|
|
|
call .doreadattr
|
|
|
|
pop edx
|
|
|
|
pop ecx
|
|
|
|
jc @f
|
|
|
|
cmp [ebp+NTFS.ntfs_bCanContinue], 0
|
|
|
|
jz @f
|
|
|
|
sub edx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
neg edx
|
|
|
|
shr edx, 9
|
|
|
|
sub ecx, edx
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], ecx
|
|
|
|
jnz .not_in_cur
|
|
|
|
@@:
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
.noattr:
|
|
|
|
.not_in_cur:
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_attr], 0x20
|
|
|
|
jz @f
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_attr_list]
|
|
|
|
test ecx, ecx
|
|
|
|
jnz .lookattr
|
|
|
|
.ret_is_attr:
|
|
|
|
and dword [esp+28], 0
|
|
|
|
cmp [ebp+NTFS.ntfs_attr_offs], 1 ; CF set <=> ntfs_attr_offs == 0
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
.lookattr:
|
|
|
|
; required attribute or required offset was not found in base record;
|
|
|
|
; it may be present in auxiliary records;
|
|
|
|
; scan $ATTR_LIST
|
|
|
|
mov eax, [ebp+NTFS.ntfs_attr_iBaseRecord]
|
|
|
|
cmp eax, -1
|
|
|
|
jz @f
|
|
|
|
call ntfs_read_file_record
|
|
|
|
jc .errret
|
|
|
|
or [ebp+NTFS.ntfs_attr_iBaseRecord], -1
|
|
|
|
@@:
|
|
|
|
push [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
push [ebp+NTFS.ntfs_cur_size]
|
|
|
|
push [ebp+NTFS.ntfs_cur_read]
|
|
|
|
push [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size], -1
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size+4], -1
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 2
|
|
|
|
and [ebp+NTFS.ntfs_cur_read], 0
|
|
|
|
lea eax, [ebp+NTFS.ntfs_attrlist_buf]
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jnz @f
|
|
|
|
lea eax, [ebp+NTFS.ntfs_attrlist_mft_buf]
|
|
|
|
@@:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
push eax
|
|
|
|
call .doreadattr
|
|
|
|
pop esi
|
|
|
|
mov edx, 1
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_size]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
jc .errret
|
|
|
|
or edi, -1
|
|
|
|
lea ecx, [ecx+esi-1Ah]
|
|
|
|
.scanliststart:
|
|
|
|
push ecx
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_attr]
|
|
|
|
.scanlist:
|
|
|
|
cmp esi, [esp]
|
|
|
|
jae .scanlistdone
|
|
|
|
cmp eax, [esi]
|
|
|
|
jz @f
|
|
|
|
.scanlistcont:
|
|
|
|
movzx ecx, word [esi+4]
|
|
|
|
add esi, ecx
|
|
|
|
jmp .scanlist
|
|
|
|
@@:
|
|
|
|
; ignore named $DATA attributes (aka NTFS streams)
|
|
|
|
cmp eax, 0x80
|
|
|
|
jnz @f
|
|
|
|
cmp byte [esi+6], 0
|
|
|
|
jnz .scanlistcont
|
|
|
|
@@:
|
|
|
|
push eax
|
|
|
|
mov eax, [esi+8]
|
|
|
|
test eax, eax
|
|
|
|
jnz .testf
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
and eax, dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
cmp eax, -1
|
|
|
|
jnz .testfz
|
|
|
|
; if attribute is in auxiliary records, its size is defined only in first
|
|
|
|
mov eax, [esi+10h]
|
|
|
|
call ntfs_read_file_record
|
|
|
|
jnc @f
|
|
|
|
.errret_pop:
|
|
|
|
pop ecx ecx
|
|
|
|
jmp .errret
|
|
|
|
.errret2_pop:
|
|
|
|
xor eax, eax
|
|
|
|
jmp .errret_pop
|
|
|
|
@@:
|
|
|
|
mov eax, [ebp+NTFS.frs_buffer]
|
|
|
|
movzx ecx, word [eax+14h]
|
|
|
|
add eax, ecx
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_attr]
|
|
|
|
@@:
|
|
|
|
cmp dword [eax], -1
|
|
|
|
jz .errret2_pop
|
|
|
|
cmp dword [eax], ecx
|
|
|
|
jz @f
|
|
|
|
.l1:
|
|
|
|
add eax, [eax+4]
|
|
|
|
jmp @b
|
|
|
|
@@:
|
|
|
|
cmp eax, 0x80
|
|
|
|
jnz @f
|
|
|
|
cmp byte [eax+9], 0
|
|
|
|
jnz .l1
|
|
|
|
@@:
|
|
|
|
cmp byte [eax+8], 0
|
|
|
|
jnz .sdnores
|
|
|
|
mov eax, [eax+10h]
|
|
|
|
mov dword [ebp+NTFS.ntfs_attr_size], eax
|
|
|
|
and dword [ebp+NTFS.ntfs_attr_size+4], 0
|
|
|
|
jmp .testfz
|
|
|
|
.sdnores:
|
|
|
|
mov ecx, [eax+30h]
|
|
|
|
mov dword [ebp+NTFS.ntfs_attr_size], ecx
|
|
|
|
mov ecx, [eax+34h]
|
|
|
|
mov dword [ebp+NTFS.ntfs_attr_size+4], ecx
|
|
|
|
.testfz:
|
|
|
|
xor eax, eax
|
|
|
|
.testf:
|
|
|
|
imul eax, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
cmp eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
pop eax
|
|
|
|
ja @f
|
|
|
|
mov edi, [esi+10h] ; keep previous iRecord
|
|
|
|
jmp .scanlistcont
|
|
|
|
@@:
|
|
|
|
pop ecx
|
|
|
|
.scanlistfound:
|
|
|
|
cmp edi, -1
|
|
|
|
jnz @f
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_iRecord]
|
|
|
|
mov [ebp+NTFS.ntfs_attr_iBaseRecord], eax
|
|
|
|
mov eax, edi
|
|
|
|
jmp .beginfindattr
|
|
|
|
.scanlistdone:
|
|
|
|
pop ecx
|
|
|
|
sub ecx, ebp
|
|
|
|
sub ecx, NTFS.ntfs_attrlist_buf-1Ah
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jnz @f
|
|
|
|
sub ecx, NTFS.ntfs_attrlist_mft_buf-NTFS.ntfs_attrlist_buf
|
|
|
|
@@:
|
|
|
|
cmp ecx, 0x400
|
|
|
|
jnz .scanlistfound
|
|
|
|
inc edx
|
|
|
|
push esi edi
|
|
|
|
lea esi, [ebp+NTFS.ntfs_attrlist_buf+0x200]
|
|
|
|
lea edi, [ebp+NTFS.ntfs_attrlist_buf]
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jnz @f
|
|
|
|
lea esi, [ebp+NTFS.ntfs_attrlist_mft_buf+0x200]
|
|
|
|
lea edi, [ebp+NTFS.ntfs_attrlist_mft_buf]
|
|
|
|
@@:
|
|
|
|
mov ecx, 0x200/4
|
|
|
|
rep movsd
|
|
|
|
mov eax, edi
|
|
|
|
pop edi esi
|
|
|
|
sub esi, 0x200
|
|
|
|
push [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
push [ebp+NTFS.ntfs_cur_size]
|
|
|
|
push [ebp+NTFS.ntfs_cur_read]
|
|
|
|
push [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size], -1
|
|
|
|
or dword [ebp+NTFS.ntfs_attr_size+4], -1
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], edx
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 1
|
|
|
|
and [ebp+NTFS.ntfs_cur_read], 0
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_attr_list]
|
|
|
|
push esi edx edi
|
|
|
|
call .doreadattr
|
|
|
|
pop edi edx esi
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_size]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
jc .errret
|
|
|
|
lea ecx, [ecx+ebp+NTFS.ntfs_attrlist_buf+0x200-0x1A]
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jnz .scanliststart
|
|
|
|
add ecx, NTFS.ntfs_attrlist_mft_buf-NTFS.ntfs_attrlist_buf
|
|
|
|
jmp .scanliststart
|
|
|
|
|
|
|
|
.doreadattr:
|
|
|
|
mov [ebp+NTFS.ntfs_bCanContinue], 0
|
|
|
|
cmp byte [ecx+8], 0
|
|
|
|
jnz .nonresident
|
|
|
|
mov eax, [ecx+10h] ; length
|
|
|
|
mov esi, eax
|
|
|
|
mov edx, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
shr eax, 9
|
|
|
|
cmp eax, edx
|
|
|
|
jb .okret
|
|
|
|
shl edx, 9
|
|
|
|
sub esi, edx
|
|
|
|
movzx eax, word [ecx+14h]
|
|
|
|
add edx, eax
|
|
|
|
add edx, ecx ; edx -> data
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_size]
|
|
|
|
cmp eax, (0xFFFFFFFF shr 9)+1
|
|
|
|
jbe @f
|
|
|
|
mov eax, (0xFFFFFFFF shr 9)+1
|
|
|
|
@@:
|
|
|
|
shl eax, 9
|
|
|
|
cmp eax, esi
|
|
|
|
jbe @f
|
|
|
|
mov eax, esi
|
|
|
|
@@:
|
|
|
|
; eax = length, edx -> data
|
|
|
|
mov [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
mov ecx, eax
|
|
|
|
mov eax, edx
|
|
|
|
mov ebx, [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
call memmove
|
|
|
|
and [ebp+NTFS.ntfs_cur_size], 0 ; CF=0
|
|
|
|
ret
|
|
|
|
.nonresident:
|
|
|
|
; Not all auxiliary records contain correct FileSize info
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
mov edx, dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
push eax
|
|
|
|
and eax, edx
|
|
|
|
cmp eax, -1
|
|
|
|
pop eax
|
|
|
|
jnz @f
|
|
|
|
mov eax, [ecx+30h] ; FileSize
|
|
|
|
mov edx, [ecx+34h]
|
|
|
|
mov dword [ebp+NTFS.ntfs_attr_size], eax
|
|
|
|
mov dword [ebp+NTFS.ntfs_attr_size+4], edx
|
|
|
|
@@:
|
|
|
|
add eax, 0x1FF
|
|
|
|
adc edx, 0
|
|
|
|
shrd eax, edx, 9
|
|
|
|
sub eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
ja @f
|
|
|
|
; return with nothing read
|
|
|
|
and [ebp+NTFS.ntfs_cur_size], 0
|
|
|
|
.okret:
|
|
|
|
clc
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
; reduce read length
|
|
|
|
and [ebp+NTFS.ntfs_cur_tail], 0
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
jb @f
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
and eax, 0x1FF
|
|
|
|
mov [ebp+NTFS.ntfs_cur_tail], eax
|
|
|
|
@@:
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_size], 0
|
|
|
|
jz .okret
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
xor edx, edx
|
|
|
|
div [ebp+NTFS.sectors_per_cluster]
|
|
|
|
sub eax, [ecx+10h] ; first_vbo
|
|
|
|
jb .okret
|
|
|
|
; eax = cluster, edx = starting sector
|
|
|
|
sub esp, 10h
|
|
|
|
movzx esi, word [ecx+20h] ; mcb_info_ofs
|
|
|
|
add esi, ecx
|
|
|
|
xor edi, edi
|
|
|
|
.readloop:
|
|
|
|
call ntfs_decode_mcb_entry
|
|
|
|
jnc .break
|
|
|
|
add edi, [esp+8]
|
|
|
|
sub eax, [esp]
|
|
|
|
jae .readloop
|
|
|
|
push ecx
|
|
|
|
push eax
|
|
|
|
add eax, [esp+8]
|
|
|
|
add eax, edi
|
|
|
|
imul eax, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
add eax, edx
|
|
|
|
pop ecx
|
|
|
|
neg ecx
|
|
|
|
imul ecx, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
sub ecx, edx
|
|
|
|
cmp ecx, [ebp+NTFS.ntfs_cur_size]
|
|
|
|
jb @f
|
|
|
|
mov ecx, [ebp+NTFS.ntfs_cur_size]
|
|
|
|
@@:
|
|
|
|
mov ebx, [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
@@:
|
|
|
|
push eax
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_attr], 0x80
|
|
|
|
jnz .sys
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 0
|
|
|
|
jz .sys
|
|
|
|
call fs_read32_app
|
|
|
|
jmp .appsys
|
|
|
|
.sys:
|
|
|
|
call fs_read32_sys
|
|
|
|
.appsys:
|
|
|
|
pop edx
|
|
|
|
test eax, eax
|
|
|
|
jnz .errread2
|
|
|
|
add ebx, 0x200
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], ebx
|
|
|
|
lea eax, [edx+1]
|
|
|
|
add [ebp+NTFS.ntfs_cur_read], 0x200
|
|
|
|
dec [ebp+NTFS.ntfs_cur_size]
|
|
|
|
inc [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
loop @b
|
|
|
|
pop ecx
|
|
|
|
xor eax, eax
|
|
|
|
xor edx, edx
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_size], 0
|
|
|
|
jnz .readloop
|
|
|
|
add esp, 10h
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_tail]
|
|
|
|
test eax, eax
|
|
|
|
jz @f
|
|
|
|
sub eax, 0x200
|
|
|
|
add [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
@@:
|
|
|
|
clc
|
|
|
|
ret
|
|
|
|
.errread2:
|
|
|
|
pop ecx
|
|
|
|
add esp, 10h
|
|
|
|
stc
|
|
|
|
ret
|
|
|
|
.break:
|
|
|
|
add esp, 10h ; CF=0
|
|
|
|
mov [ebp+NTFS.ntfs_bCanContinue], 1
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_read_file_record:
|
|
|
|
; in: eax=iRecord
|
|
|
|
; out: [ebp+NTFS.frs_buffer] contains information
|
|
|
|
; CF=1 - failed, in this case eax=0 => something with FS, eax nonzero => disk error
|
|
|
|
; Read attr $DATA of $Mft, starting from eax*[ebp+NTFS.frs_size]
|
|
|
|
push ecx edx
|
|
|
|
mov ecx, [ebp+NTFS.frs_size]
|
|
|
|
mul ecx
|
|
|
|
shrd eax, edx, 9
|
|
|
|
shr edx, 9
|
|
|
|
jnz .errret
|
|
|
|
push [ebp+NTFS.ntfs_attr_iRecord]
|
|
|
|
push [ebp+NTFS.ntfs_attr_iBaseRecord]
|
|
|
|
push [ebp+NTFS.ntfs_attr_offs]
|
|
|
|
push [ebp+NTFS.ntfs_attr_list]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
push dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
push [ebp+NTFS.ntfs_cur_iRecord]
|
|
|
|
push [ebp+NTFS.ntfs_cur_attr]
|
|
|
|
push [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
push [ebp+NTFS.ntfs_cur_size]
|
|
|
|
push [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
push [ebp+NTFS.ntfs_cur_read]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0x80 ; $DATA
|
|
|
|
and [ebp+NTFS.ntfs_cur_iRecord], 0 ; $Mft
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
shr ecx, 9
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], ecx
|
|
|
|
mov eax, [ebp+NTFS.frs_buffer]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
mov edx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_read]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_buf]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_size]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_attr]
|
|
|
|
pop [ebp+NTFS.ntfs_cur_iRecord]
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size]
|
|
|
|
pop dword [ebp+NTFS.ntfs_attr_size+4]
|
|
|
|
pop [ebp+NTFS.ntfs_attr_list]
|
|
|
|
pop [ebp+NTFS.ntfs_attr_offs]
|
|
|
|
pop [ebp+NTFS.ntfs_attr_iBaseRecord]
|
|
|
|
pop [ebp+NTFS.ntfs_attr_iRecord]
|
|
|
|
jc .ret
|
|
|
|
cmp edx, [ebp+NTFS.frs_size]
|
|
|
|
jnz .errret
|
|
|
|
mov eax, [ebp+NTFS.frs_buffer]
|
|
|
|
cmp dword [eax], 'FILE'
|
|
|
|
jnz .errret
|
|
|
|
push ebx
|
|
|
|
mov ebx, eax
|
|
|
|
call ntfs_restore_usa_frs
|
|
|
|
pop ebx
|
|
|
|
jc .errret
|
|
|
|
.ret:
|
|
|
|
pop edx ecx
|
|
|
|
ret
|
|
|
|
.errret:
|
|
|
|
pop edx ecx
|
|
|
|
xor eax, eax
|
|
|
|
stc
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_restore_usa_frs:
|
|
|
|
mov eax, [ebp+NTFS.frs_size]
|
|
|
|
ntfs_restore_usa:
|
|
|
|
pushad
|
|
|
|
shr eax, 9
|
|
|
|
mov ecx, eax
|
|
|
|
inc eax
|
|
|
|
cmp [ebx+6], ax
|
|
|
|
jnz .err
|
|
|
|
movzx eax, word [ebx+4]
|
|
|
|
lea esi, [eax+ebx]
|
|
|
|
lodsw
|
|
|
|
mov edx, eax
|
|
|
|
lea edi, [ebx+0x1FE]
|
|
|
|
@@:
|
|
|
|
cmp [edi], dx
|
|
|
|
jnz .err
|
|
|
|
lodsw
|
|
|
|
stosw
|
|
|
|
add edi, 0x1FE
|
|
|
|
loop @b
|
|
|
|
popad
|
|
|
|
clc
|
|
|
|
ret
|
|
|
|
.err:
|
|
|
|
popad
|
|
|
|
stc
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_decode_mcb_entry:
|
|
|
|
push eax ecx edi
|
|
|
|
lea edi, [esp+16]
|
|
|
|
xor eax, eax
|
|
|
|
lodsb
|
|
|
|
test al, al
|
|
|
|
jz .end
|
|
|
|
mov ecx, eax
|
|
|
|
and ecx, 0xF
|
|
|
|
cmp ecx, 8
|
|
|
|
ja .end
|
|
|
|
push ecx
|
|
|
|
rep movsb
|
|
|
|
pop ecx
|
|
|
|
sub ecx, 8
|
|
|
|
neg ecx
|
|
|
|
cmp byte [esi-1], 80h
|
|
|
|
jae .end
|
|
|
|
push eax
|
|
|
|
xor eax, eax
|
|
|
|
rep stosb
|
|
|
|
pop ecx
|
|
|
|
shr ecx, 4
|
|
|
|
cmp ecx, 8
|
|
|
|
ja .end
|
|
|
|
push ecx
|
|
|
|
rep movsb
|
|
|
|
pop ecx
|
|
|
|
sub ecx, 8
|
|
|
|
neg ecx
|
|
|
|
cmp byte [esi-1], 80h
|
|
|
|
cmc
|
|
|
|
sbb eax, eax
|
|
|
|
rep stosb
|
|
|
|
stc
|
|
|
|
.end:
|
|
|
|
pop edi ecx eax
|
|
|
|
ret
|
|
|
|
|
|
|
|
unichar_toupper:
|
|
|
|
push eax
|
|
|
|
call uni2ansi_char
|
|
|
|
cmp al, '_'
|
|
|
|
jz .unk
|
|
|
|
add esp, 4
|
|
|
|
call char_toupper
|
|
|
|
jmp ansi2uni_char
|
|
|
|
.unk:
|
|
|
|
pop eax
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_find_lfn:
|
|
|
|
; in: esi+[esp+4] -> name
|
|
|
|
; out: CF=1 - file not found
|
|
|
|
; else CF=0, [ebp+NTFS.ntfs_cur_iRecord] valid, eax->record in parent directory
|
|
|
|
mov [ebp+NTFS.ntfs_cur_iRecord], 5 ; start parse from root cluster
|
|
|
|
.doit2:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0x90 ; $INDEX_ROOT
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
mov eax, [ebp+NTFS.cur_index_size]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
mov eax, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
jnc @f
|
|
|
|
.ret:
|
|
|
|
ret 4
|
|
|
|
@@:
|
|
|
|
xor eax, eax
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], 0x20
|
|
|
|
jc .ret
|
|
|
|
pushad
|
|
|
|
mov esi, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov eax, [esi+14h]
|
|
|
|
add eax, 10h
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
jae .readok1
|
|
|
|
add eax, 1FFh
|
|
|
|
shr eax, 9
|
|
|
|
cmp eax, [ebp+NTFS.cur_index_size]
|
|
|
|
ja @f
|
|
|
|
.stc_ret:
|
|
|
|
popad
|
|
|
|
stc
|
|
|
|
ret 4
|
|
|
|
@@:
|
|
|
|
; reallocate
|
|
|
|
push eax
|
|
|
|
push [ebp+NTFS.cur_index_buf]
|
|
|
|
call kernel_free
|
|
|
|
pop eax
|
|
|
|
mov [ebp+NTFS.cur_index_size], eax
|
|
|
|
push eax
|
|
|
|
call kernel_alloc
|
|
|
|
test eax, eax
|
|
|
|
jnz @f
|
|
|
|
and [ebp+NTFS.cur_index_size], 0
|
|
|
|
and [ebp+NTFS.cur_index_buf], 0
|
|
|
|
jmp .stc_ret
|
|
|
|
@@:
|
|
|
|
mov [ebp+NTFS.cur_index_buf], eax
|
|
|
|
popad
|
|
|
|
jmp .doit2
|
|
|
|
.readok1:
|
|
|
|
mov edx, [esi+8] ; subnode_size
|
|
|
|
shr edx, 9
|
|
|
|
cmp edx, [ebp+NTFS.cur_index_size]
|
|
|
|
jbe .ok2
|
|
|
|
push esi edx
|
|
|
|
push edx
|
|
|
|
call kernel_alloc
|
|
|
|
pop edx esi
|
|
|
|
test eax, eax
|
|
|
|
jz .stc_ret
|
|
|
|
mov edi, eax
|
|
|
|
mov ecx, [ebp+NTFS.cur_index_size]
|
|
|
|
shl ecx, 9-2
|
|
|
|
rep movsd
|
|
|
|
mov esi, eax
|
|
|
|
mov [ebp+NTFS.cur_index_size], edx
|
|
|
|
push esi edx
|
|
|
|
push [ebp+NTFS.cur_index_buf]
|
|
|
|
call kernel_free
|
|
|
|
pop edx esi
|
|
|
|
mov [ebp+NTFS.cur_index_buf], esi
|
|
|
|
.ok2:
|
|
|
|
add esi, 10h
|
|
|
|
mov edi, [esp+4]
|
|
|
|
; edi -> name, esi -> current index data, edx = subnode size
|
|
|
|
.scanloop:
|
|
|
|
add esi, [esi]
|
|
|
|
.scanloopint:
|
|
|
|
test byte [esi+0Ch], 2
|
|
|
|
jnz .subnode
|
|
|
|
push esi
|
|
|
|
add esi, 0x52
|
|
|
|
movzx ecx, byte [esi-2]
|
|
|
|
push edi
|
|
|
|
@@:
|
|
|
|
lodsw
|
|
|
|
call unichar_toupper
|
|
|
|
push eax
|
|
|
|
mov al, [edi]
|
|
|
|
inc edi
|
|
|
|
cmp al, '/'
|
|
|
|
jz .slash
|
|
|
|
call char_toupper
|
|
|
|
call ansi2uni_char
|
|
|
|
cmp ax, [esp]
|
|
|
|
pop eax
|
|
|
|
loopz @b
|
|
|
|
jz .found
|
|
|
|
pop edi
|
|
|
|
pop esi
|
|
|
|
jb .subnode
|
|
|
|
.scanloopcont:
|
|
|
|
movzx eax, word [esi+8]
|
|
|
|
add esi, eax
|
|
|
|
jmp .scanloopint
|
|
|
|
.slash:
|
|
|
|
pop eax
|
|
|
|
pop edi
|
|
|
|
pop esi
|
|
|
|
.subnode:
|
|
|
|
test byte [esi+0Ch], 1
|
|
|
|
jz .notfound
|
|
|
|
movzx eax, word [esi+8]
|
|
|
|
mov eax, [esi+eax-8]
|
|
|
|
imul eax, [ebp+NTFS.sectors_per_cluster]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0xA0 ; $INDEX_ALLOCATION
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], edx
|
|
|
|
mov eax, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov esi, eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
push edx
|
|
|
|
call ntfs_read_attr
|
|
|
|
pop edx
|
|
|
|
mov eax, edx
|
|
|
|
shl eax, 9
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
jnz .notfound
|
|
|
|
cmp dword [esi], 'INDX'
|
|
|
|
jnz .notfound
|
|
|
|
mov ebx, esi
|
|
|
|
call ntfs_restore_usa
|
|
|
|
jc .notfound
|
|
|
|
add esi, 0x18
|
|
|
|
jmp .scanloop
|
|
|
|
.notfound:
|
|
|
|
popad
|
|
|
|
stc
|
|
|
|
ret 4
|
|
|
|
.found:
|
|
|
|
cmp byte [edi], 0
|
|
|
|
jz .done
|
|
|
|
cmp byte [edi], '/'
|
|
|
|
jz .next
|
|
|
|
pop edi
|
|
|
|
pop esi
|
|
|
|
jmp .scanloopcont
|
|
|
|
.done:
|
|
|
|
.next:
|
|
|
|
pop esi
|
|
|
|
pop esi
|
|
|
|
mov eax, [esi]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_iRecord], eax
|
|
|
|
mov [esp+1Ch], esi
|
|
|
|
mov [esp+4], edi
|
|
|
|
popad
|
|
|
|
inc esi
|
|
|
|
cmp byte [esi-1], 0
|
|
|
|
jnz .doit2
|
|
|
|
cmp dword [esp+4], 0
|
|
|
|
jz @f
|
|
|
|
mov esi, [esp+4]
|
|
|
|
mov dword [esp+4], 0
|
|
|
|
jmp .doit2
|
|
|
|
@@:
|
|
|
|
ret 4
|
|
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
; ntfs_Read - NTFS implementation of reading a file
|
|
|
|
; in: ebp = pointer to NTFS structure
|
|
|
|
; in: esi+[esp+4] = name
|
|
|
|
; in: ebx = pointer to parameters from sysfunc 70
|
|
|
|
; out: eax, ebx = return values for sysfunc 70
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
ntfs_Read:
|
|
|
|
cmp byte [esi], 0
|
|
|
|
jnz @f
|
|
|
|
or ebx, -1
|
|
|
|
movi eax, ERROR_ACCESS_DENIED
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
call ntfs_lock
|
|
|
|
stdcall ntfs_find_lfn, [esp+4]
|
|
|
|
jnc .found
|
|
|
|
call ntfs_unlock
|
|
|
|
or ebx, -1
|
|
|
|
movi eax, ERROR_FILE_NOT_FOUND
|
|
|
|
ret
|
|
|
|
.found:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0x80 ; $DATA
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
and [ebp+NTFS.ntfs_cur_size], 0
|
|
|
|
call ntfs_read_attr
|
|
|
|
jnc @f
|
|
|
|
call ntfs_unlock
|
|
|
|
or ebx, -1
|
|
|
|
movi eax, ERROR_ACCESS_DENIED
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
pushad
|
|
|
|
and dword [esp+10h], 0
|
|
|
|
xor eax, eax
|
|
|
|
cmp dword [ebx+8], 0x200
|
|
|
|
jb @f
|
|
|
|
.eof0:
|
|
|
|
popad
|
|
|
|
xor ebx, ebx
|
|
|
|
.eof:
|
|
|
|
movi eax, ERROR_END_OF_FILE
|
|
|
|
push eax
|
|
|
|
call ntfs_unlock
|
|
|
|
pop eax
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
mov ecx, [ebx+12]
|
|
|
|
mov edx, [ebx+16]
|
|
|
|
mov eax, [ebx+4]
|
|
|
|
test eax, 0x1FF
|
|
|
|
jz .alignedstart
|
|
|
|
push edx
|
|
|
|
mov edx, [ebx+8]
|
|
|
|
shrd eax, edx, 9
|
|
|
|
pop edx
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 1
|
|
|
|
lea eax, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr.continue
|
|
|
|
mov eax, [ebx+4]
|
|
|
|
and eax, 0x1FF
|
|
|
|
lea esi, [ebp+NTFS.ntfs_bitmap_buf+eax]
|
|
|
|
sub eax, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
jae .eof0
|
|
|
|
neg eax
|
|
|
|
push ecx
|
|
|
|
cmp ecx, eax
|
|
|
|
jb @f
|
|
|
|
mov ecx, eax
|
|
|
|
@@:
|
|
|
|
mov [esp+10h+4], ecx
|
|
|
|
mov edi, edx
|
|
|
|
rep movsb
|
|
|
|
mov edx, edi
|
|
|
|
pop ecx
|
|
|
|
sub ecx, [esp+10h]
|
|
|
|
jnz @f
|
|
|
|
.retok:
|
|
|
|
popad
|
|
|
|
call ntfs_unlock
|
|
|
|
xor eax, eax
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], 0x200
|
|
|
|
jz .alignedstart
|
|
|
|
.eof_ebx:
|
|
|
|
popad
|
|
|
|
jmp .eof
|
|
|
|
.alignedstart:
|
|
|
|
mov eax, [ebx+4]
|
|
|
|
push edx
|
|
|
|
mov edx, [ebx+8]
|
|
|
|
add eax, 511
|
|
|
|
adc edx, 0
|
|
|
|
shrd eax, edx, 9
|
|
|
|
pop edx
|
|
|
|
.zero1:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], edx
|
|
|
|
mov eax, ecx
|
|
|
|
shr eax, 9
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
add eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
push eax
|
|
|
|
call ntfs_read_attr.continue
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
add [esp+10h], eax
|
|
|
|
mov eax, ecx
|
|
|
|
and eax, not 0x1FF
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
jnz .eof_ebx
|
|
|
|
and ecx, 0x1FF
|
|
|
|
jz .retok
|
|
|
|
add edx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 1
|
|
|
|
lea eax, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr.continue
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], ecx
|
|
|
|
jb @f
|
|
|
|
mov [ebp+NTFS.ntfs_cur_read], ecx
|
|
|
|
@@:
|
|
|
|
xchg ecx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
push ecx
|
|
|
|
mov edi, edx
|
|
|
|
lea esi, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
add [esp+10h+4], ecx
|
|
|
|
rep movsb
|
|
|
|
pop ecx
|
|
|
|
xor eax, eax
|
|
|
|
cmp ecx, [ebp+NTFS.ntfs_cur_read]
|
|
|
|
jz @f
|
|
|
|
mov al, ERROR_END_OF_FILE
|
|
|
|
@@:
|
|
|
|
mov [esp+1Ch], eax
|
|
|
|
call ntfs_unlock
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
; ntfs_ReadFolder - NTFS implementation of reading a folder
|
|
|
|
; in: ebp = pointer to NTFS structure
|
|
|
|
; in: esi+[esp+4] = name
|
|
|
|
; in: ebx = pointer to parameters from sysfunc 70
|
|
|
|
; out: eax, ebx = return values for sysfunc 70
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
ntfs_ReadFolder:
|
|
|
|
call ntfs_lock
|
|
|
|
mov eax, 5 ; root cluster
|
|
|
|
cmp byte [esi], 0
|
|
|
|
jz .doit
|
|
|
|
stdcall ntfs_find_lfn, [esp+4]
|
|
|
|
jnc .doit2
|
|
|
|
.notfound:
|
|
|
|
or ebx, -1
|
|
|
|
push ERROR_FILE_NOT_FOUND
|
|
|
|
.pop_ret:
|
|
|
|
call ntfs_unlock
|
|
|
|
pop eax
|
|
|
|
ret
|
|
|
|
.doit:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_iRecord], eax
|
|
|
|
.doit2:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0x10 ; $STANDARD_INFORMATION
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 1
|
|
|
|
lea eax, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
jc .notfound
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0x90 ; $INDEX_ROOT
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
mov eax, [ebp+NTFS.cur_index_size]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
mov eax, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
jnc .ok
|
|
|
|
test eax, eax
|
|
|
|
jz .notfound
|
|
|
|
or ebx, -1
|
|
|
|
push 11
|
|
|
|
jmp .pop_ret
|
|
|
|
.ok:
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], 0x20
|
|
|
|
jae @f
|
|
|
|
or ebx, -1
|
|
|
|
.fserr:
|
|
|
|
push ERROR_FAT_TABLE
|
|
|
|
jmp .pop_ret
|
|
|
|
@@:
|
|
|
|
pushad
|
|
|
|
mov esi, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov eax, [esi+14h]
|
|
|
|
add eax, 10h
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
jae .readok1
|
|
|
|
add eax, 1FFh
|
|
|
|
shr eax, 9
|
|
|
|
cmp eax, [ebp+NTFS.cur_index_size]
|
|
|
|
ja @f
|
|
|
|
popad
|
|
|
|
jmp .fserr
|
|
|
|
@@:
|
|
|
|
; reallocate
|
|
|
|
push eax
|
|
|
|
push [ebp+NTFS.cur_index_buf]
|
|
|
|
call kernel_free
|
|
|
|
pop eax
|
|
|
|
mov [ebp+NTFS.cur_index_size], eax
|
|
|
|
push eax
|
|
|
|
call kernel_alloc
|
|
|
|
test eax, eax
|
|
|
|
jnz @f
|
|
|
|
and [ebp+NTFS.cur_index_size], 0
|
|
|
|
and [ebp+NTFS.cur_index_buf], 0
|
|
|
|
.nomem:
|
|
|
|
call ntfs_unlock
|
|
|
|
popad
|
|
|
|
or ebx, -1
|
|
|
|
movi eax, 12
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
mov [ebp+NTFS.cur_index_buf], eax
|
|
|
|
popad
|
|
|
|
jmp .doit2
|
|
|
|
.readok1:
|
|
|
|
mov edx, [esi+8] ; subnode_size
|
|
|
|
shr edx, 9
|
|
|
|
mov [ebp+NTFS.cur_subnode_size], edx
|
|
|
|
cmp edx, [ebp+NTFS.cur_index_size]
|
|
|
|
jbe .ok2
|
|
|
|
push esi edx
|
|
|
|
push edx
|
|
|
|
call kernel_alloc
|
|
|
|
pop edx esi
|
|
|
|
test eax, eax
|
|
|
|
jz .nomem
|
|
|
|
mov edi, eax
|
|
|
|
mov ecx, [ebp+NTFS.cur_index_size]
|
|
|
|
shl ecx, 9-2
|
|
|
|
rep movsd
|
|
|
|
mov esi, eax
|
|
|
|
mov [ebp+NTFS.cur_index_size], edx
|
|
|
|
push [ebp+NTFS.cur_index_buf]
|
|
|
|
call kernel_free
|
|
|
|
mov [ebp+NTFS.cur_index_buf], esi
|
|
|
|
.ok2:
|
|
|
|
add esi, 10h
|
|
|
|
mov edx, [ebx+16]
|
|
|
|
push dword [ebx+8] ; read ANSI/UNICODE name
|
|
|
|
; init header
|
|
|
|
mov edi, edx
|
|
|
|
mov ecx, 32/4
|
|
|
|
xor eax, eax
|
|
|
|
rep stosd
|
|
|
|
mov byte [edx], 1 ; version
|
|
|
|
mov ecx, [ebx+12]
|
|
|
|
mov ebx, [ebx+4]
|
|
|
|
push edx
|
|
|
|
mov edx, esp
|
|
|
|
; edi -> BDFE, esi -> current index data, ebx = first wanted block,
|
|
|
|
; ecx = number of blocks to read
|
|
|
|
; edx -> parameters block: dd <output>, dd <flags>
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_iRecord], 5
|
|
|
|
jz .skip_specials
|
|
|
|
; dot and dotdot entries
|
|
|
|
push esi
|
|
|
|
xor esi, esi
|
|
|
|
call .add_special_entry
|
|
|
|
inc esi
|
|
|
|
call .add_special_entry
|
|
|
|
pop esi
|
|
|
|
.skip_specials:
|
|
|
|
; at first, dump index root
|
|
|
|
add esi, [esi]
|
|
|
|
.dump_root:
|
|
|
|
test byte [esi+0Ch], 2
|
|
|
|
jnz .dump_root_done
|
|
|
|
call .add_entry
|
|
|
|
movzx eax, word [esi+8]
|
|
|
|
add esi, eax
|
|
|
|
jmp .dump_root
|
|
|
|
.dump_root_done:
|
|
|
|
; now dump all subnodes
|
|
|
|
push ecx edi
|
|
|
|
lea edi, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], edi
|
|
|
|
mov ecx, 0x400/4
|
|
|
|
xor eax, eax
|
|
|
|
rep stosd
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0xB0 ; $BITMAP
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 2
|
|
|
|
call ntfs_read_attr
|
|
|
|
pop edi ecx
|
|
|
|
push 0 ; save offset in $BITMAP attribute
|
|
|
|
and [ebp+NTFS.ntfs_cur_offs], 0
|
|
|
|
.dumploop:
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0xA0
|
|
|
|
mov eax, [ebp+NTFS.cur_subnode_size]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], eax
|
|
|
|
mov eax, [ebp+NTFS.cur_index_buf]
|
|
|
|
mov esi, eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], eax
|
|
|
|
push [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
imul eax, [ebp+NTFS.cur_subnode_size]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
mov eax, [ebp+NTFS.cur_subnode_size]
|
|
|
|
shl eax, 9
|
|
|
|
cmp [ebp+NTFS.ntfs_cur_read], eax
|
|
|
|
jnz .done
|
|
|
|
push eax
|
|
|
|
mov eax, [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
and eax, 0x400*8-1
|
|
|
|
bt dword [ebp+NTFS.ntfs_bitmap_buf], eax
|
|
|
|
pop eax
|
|
|
|
jnc .dump_subnode_done
|
|
|
|
cmp dword [esi], 'INDX'
|
|
|
|
jnz .dump_subnode_done
|
|
|
|
push ebx
|
|
|
|
mov ebx, esi
|
|
|
|
call ntfs_restore_usa
|
|
|
|
pop ebx
|
|
|
|
jc .dump_subnode_done
|
|
|
|
add esi, 0x18
|
|
|
|
add esi, [esi]
|
|
|
|
.dump_subnode:
|
|
|
|
test byte [esi+0Ch], 2
|
|
|
|
jnz .dump_subnode_done
|
|
|
|
call .add_entry
|
|
|
|
movzx eax, word [esi+8]
|
|
|
|
add esi, eax
|
|
|
|
jmp .dump_subnode
|
|
|
|
.dump_subnode_done:
|
|
|
|
inc [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
test [ebp+NTFS.ntfs_cur_offs], 0x400*8-1
|
|
|
|
jnz .dumploop
|
|
|
|
mov [ebp+NTFS.ntfs_cur_attr], 0xB0
|
|
|
|
push ecx edi
|
|
|
|
lea edi, [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov [ebp+NTFS.ntfs_cur_buf], edi
|
|
|
|
mov ecx, 0x400/4
|
|
|
|
xor eax, eax
|
|
|
|
rep stosd
|
|
|
|
pop edi ecx
|
|
|
|
pop eax
|
|
|
|
push [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
inc eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_offs], eax
|
|
|
|
mov [ebp+NTFS.ntfs_cur_size], 2
|
|
|
|
push eax
|
|
|
|
call ntfs_read_attr
|
|
|
|
pop eax
|
|
|
|
pop [ebp+NTFS.ntfs_cur_offs]
|
|
|
|
push eax
|
|
|
|
jmp .dumploop
|
|
|
|
.done:
|
|
|
|
pop eax
|
|
|
|
pop edx
|
|
|
|
mov ebx, [edx+4]
|
|
|
|
pop edx
|
|
|
|
xor eax, eax
|
|
|
|
dec ecx
|
|
|
|
js @f
|
|
|
|
mov al, ERROR_END_OF_FILE
|
|
|
|
@@:
|
|
|
|
mov [esp+1Ch], eax
|
|
|
|
mov [esp+10h], ebx
|
|
|
|
call ntfs_unlock
|
|
|
|
popad
|
|
|
|
ret
|
|
|
|
|
|
|
|
.add_special_entry:
|
|
|
|
mov eax, [edx]
|
|
|
|
inc dword [eax+8] ; new file found
|
|
|
|
dec ebx
|
|
|
|
jns .ret
|
|
|
|
dec ecx
|
|
|
|
js .ret
|
|
|
|
inc dword [eax+4] ; new file block copied
|
|
|
|
mov eax, [edx+4]
|
|
|
|
mov [edi+4], eax
|
|
|
|
; mov eax, dword [ntfs_bitmap_buf+0x20]
|
|
|
|
; or al, 0x10
|
|
|
|
mov eax, 0x10
|
|
|
|
stosd
|
|
|
|
scasd
|
|
|
|
push edx
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_bitmap_buf]
|
|
|
|
mov edx, dword [ebp+NTFS.ntfs_bitmap_buf+4]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_bitmap_buf+0x18]
|
|
|
|
mov edx, dword [ebp+NTFS.ntfs_bitmap_buf+0x1C]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
mov eax, dword [ebp+NTFS.ntfs_bitmap_buf+8]
|
|
|
|
mov edx, dword [ebp+NTFS.ntfs_bitmap_buf+0xC]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
pop edx
|
|
|
|
xor eax, eax
|
|
|
|
stosd
|
|
|
|
stosd
|
|
|
|
mov al, '.'
|
|
|
|
push edi ecx
|
|
|
|
lea ecx, [esi+1]
|
|
|
|
test byte [edi-0x24], 1
|
|
|
|
jz @f
|
|
|
|
rep stosw
|
|
|
|
pop ecx
|
|
|
|
xor eax, eax
|
|
|
|
stosw
|
|
|
|
pop edi
|
|
|
|
add edi, 520
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
rep stosb
|
|
|
|
pop ecx
|
|
|
|
xor eax, eax
|
|
|
|
stosb
|
|
|
|
pop edi
|
|
|
|
add edi, 264
|
|
|
|
.ret:
|
|
|
|
ret
|
|
|
|
|
|
|
|
.add_entry:
|
|
|
|
; do not return DOS 8.3 names
|
|
|
|
cmp byte [esi+0x51], 2
|
|
|
|
jz .ret
|
|
|
|
; do not return system files
|
|
|
|
; ... note that there will be no bad effects if system files also were reported ...
|
|
|
|
cmp dword [esi], 0x10
|
|
|
|
jb .ret
|
|
|
|
mov eax, [edx]
|
|
|
|
inc dword [eax+8] ; new file found
|
|
|
|
dec ebx
|
|
|
|
jns .ret
|
|
|
|
dec ecx
|
|
|
|
js .ret
|
|
|
|
inc dword [eax+4] ; new file block copied
|
|
|
|
mov eax, [edx+4] ; flags
|
|
|
|
call ntfs_direntry_to_bdfe
|
|
|
|
push ecx esi edi
|
|
|
|
movzx ecx, byte [esi+0x50]
|
|
|
|
add esi, 0x52
|
|
|
|
test byte [edi-0x24], 1
|
|
|
|
jz .ansi
|
|
|
|
shr ecx, 1
|
|
|
|
rep movsd
|
|
|
|
adc ecx, ecx
|
|
|
|
rep movsw
|
|
|
|
and word [edi], 0
|
|
|
|
pop edi
|
|
|
|
add edi, 520
|
|
|
|
pop esi ecx
|
|
|
|
ret
|
|
|
|
.ansi:
|
|
|
|
jecxz .skip
|
|
|
|
@@:
|
|
|
|
lodsw
|
|
|
|
call uni2ansi_char
|
|
|
|
stosb
|
|
|
|
loop @b
|
|
|
|
.skip:
|
|
|
|
xor al, al
|
|
|
|
stosb
|
|
|
|
pop edi
|
|
|
|
add edi, 264
|
|
|
|
pop esi ecx
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_direntry_to_bdfe:
|
|
|
|
mov [edi+4], eax ; ANSI/UNICODE name
|
|
|
|
mov eax, [esi+48h]
|
|
|
|
test eax, 0x10000000
|
|
|
|
jz @f
|
|
|
|
and eax, not 0x10000000
|
|
|
|
or al, 0x10
|
|
|
|
@@:
|
|
|
|
stosd
|
|
|
|
scasd
|
|
|
|
push edx
|
|
|
|
mov eax, [esi+0x18]
|
|
|
|
mov edx, [esi+0x1C]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
mov eax, [esi+0x30]
|
|
|
|
mov edx, [esi+0x34]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
mov eax, [esi+0x20]
|
|
|
|
mov edx, [esi+0x24]
|
|
|
|
call ntfs_datetime_to_bdfe
|
|
|
|
pop edx
|
|
|
|
mov eax, [esi+0x40]
|
|
|
|
stosd
|
|
|
|
mov eax, [esi+0x44]
|
|
|
|
stosd
|
|
|
|
ret
|
|
|
|
|
|
|
|
iglobal
|
|
|
|
_24 dd 24
|
|
|
|
_60 dd 60
|
|
|
|
_10000000 dd 10000000
|
|
|
|
days400year dd 365*400+100-4+1
|
|
|
|
days100year dd 365*100+25-1
|
|
|
|
days4year dd 365*4+1
|
|
|
|
days1year dd 365
|
|
|
|
months dd 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
|
|
|
|
months2 dd 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
|
|
|
|
_400 dd 400
|
|
|
|
_100 dd 100
|
|
|
|
endg
|
|
|
|
|
|
|
|
ntfs_datetime_to_bdfe:
|
|
|
|
; edx:eax = number of 100-nanosecond intervals since January 1, 1601, in UTC
|
|
|
|
push eax
|
|
|
|
mov eax, edx
|
|
|
|
xor edx, edx
|
|
|
|
div [_10000000]
|
|
|
|
xchg eax, [esp]
|
|
|
|
div [_10000000]
|
|
|
|
pop edx
|
|
|
|
.sec:
|
|
|
|
; edx:eax = number of seconds since January 1, 1601
|
|
|
|
push eax
|
|
|
|
mov eax, edx
|
|
|
|
xor edx, edx
|
|
|
|
div [_60]
|
|
|
|
xchg eax, [esp]
|
|
|
|
div [_60]
|
|
|
|
mov [edi], dl
|
|
|
|
pop edx
|
|
|
|
; edx:eax = number of minutes
|
|
|
|
div [_60]
|
|
|
|
mov [edi+1], dl
|
|
|
|
; eax = number of hours (note that 2^64/(10^7*60*60) < 2^32)
|
|
|
|
xor edx, edx
|
|
|
|
div [_24]
|
|
|
|
mov [edi+2], dl
|
|
|
|
mov [edi+3], byte 0
|
|
|
|
; eax = number of days since January 1, 1601
|
|
|
|
xor edx, edx
|
|
|
|
div [days400year]
|
|
|
|
imul eax, 400
|
|
|
|
add eax, 1601
|
|
|
|
mov [edi+6], ax
|
|
|
|
mov eax, edx
|
|
|
|
xor edx, edx
|
|
|
|
div [days100year]
|
|
|
|
cmp al, 4
|
|
|
|
jnz @f
|
|
|
|
dec eax
|
|
|
|
add edx, [days100year]
|
|
|
|
@@:
|
|
|
|
imul eax, 100
|
|
|
|
add [edi+6], ax
|
|
|
|
mov eax, edx
|
|
|
|
xor edx, edx
|
|
|
|
div [days4year]
|
|
|
|
shl eax, 2
|
|
|
|
add [edi+6], ax
|
|
|
|
mov eax, edx
|
|
|
|
xor edx, edx
|
|
|
|
div [days1year]
|
|
|
|
cmp al, 4
|
|
|
|
jnz @f
|
|
|
|
dec eax
|
|
|
|
add edx, [days1year]
|
|
|
|
@@:
|
|
|
|
add [edi+6], ax
|
|
|
|
push esi edx
|
|
|
|
mov esi, months
|
|
|
|
movzx eax, word [edi+6]
|
|
|
|
test al, 3
|
|
|
|
jnz .noleap
|
|
|
|
xor edx, edx
|
|
|
|
push eax
|
|
|
|
div [_400]
|
|
|
|
pop eax
|
|
|
|
test edx, edx
|
|
|
|
jz .leap
|
|
|
|
xor edx, edx
|
|
|
|
div [_100]
|
|
|
|
test edx, edx
|
|
|
|
jz .noleap
|
|
|
|
.leap:
|
|
|
|
mov esi, months2
|
|
|
|
.noleap:
|
|
|
|
pop edx
|
|
|
|
xor eax, eax
|
|
|
|
inc eax
|
|
|
|
@@:
|
|
|
|
sub edx, [esi]
|
|
|
|
jb @f
|
|
|
|
add esi, 4
|
|
|
|
inc eax
|
|
|
|
jmp @b
|
|
|
|
@@:
|
|
|
|
add edx, [esi]
|
|
|
|
pop esi
|
|
|
|
inc edx
|
|
|
|
mov [edi+4], dl
|
|
|
|
mov [edi+5], al
|
|
|
|
add edi, 8
|
|
|
|
ret
|
|
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
; ntfs_Rewrite - NTFS implementation of creating a new file
|
|
|
|
; in: ebp = pointer to NTFS structure
|
|
|
|
; in: esi+[esp+4] = name
|
|
|
|
; in: ebx = pointer to parameters from sysfunc 70
|
|
|
|
; out: eax, ebx = return values for sysfunc 70
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
ntfs_Rewrite:
|
|
|
|
ntfs_CreateFolder:
|
|
|
|
xor ebx, ebx
|
|
|
|
mov eax, ERROR_UNSUPPORTED_FS
|
|
|
|
ret
|
|
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
; ntfs_Write - NTFS implementation of writing to file
|
|
|
|
; in: ebp = pointer to NTFS structure
|
|
|
|
; in: esi+[esp+4] = name
|
|
|
|
; in: ebx = pointer to parameters from sysfunc 70
|
|
|
|
; out: eax, ebx = return values for sysfunc 70
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
ntfs_Write:
|
|
|
|
xor ebx, ebx
|
|
|
|
mov eax, ERROR_UNSUPPORTED_FS
|
|
|
|
ret
|
|
|
|
|
|
|
|
ntfs_SetFileEnd:
|
|
|
|
ntfs_SetFileInfo:
|
|
|
|
ntfs_Delete:
|
|
|
|
mov eax, ERROR_UNSUPPORTED_FS
|
|
|
|
ret
|
|
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
; ntfs_GetFileInfo - NTFS implementation of getting file info
|
|
|
|
; in: ebp = pointer to NTFS structure
|
|
|
|
; in: esi+[esp+4] = name
|
|
|
|
; in: ebx = pointer to parameters from sysfunc 70
|
|
|
|
; out: eax, ebx = return values for sysfunc 70
|
|
|
|
;----------------------------------------------------------------
|
|
|
|
ntfs_GetFileInfo:
|
|
|
|
cmp byte [esi], 0
|
|
|
|
jnz @f
|
|
|
|
movi eax, 2
|
|
|
|
ret
|
|
|
|
@@:
|
|
|
|
call ntfs_lock
|
|
|
|
stdcall ntfs_find_lfn, [esp+4]
|
|
|
|
jnc .doit
|
|
|
|
test eax, eax
|
|
|
|
movi eax, ERROR_FILE_NOT_FOUND
|
|
|
|
jz @f
|
|
|
|
mov al, 11
|
|
|
|
@@:
|
|
|
|
push eax
|
|
|
|
call ntfs_unlock
|
|
|
|
pop eax
|
|
|
|
ret
|
|
|
|
.doit:
|
|
|
|
push esi edi
|
|
|
|
mov esi, eax
|
|
|
|
mov edi, [ebx+16]
|
|
|
|
xor eax, eax
|
|
|
|
call ntfs_direntry_to_bdfe
|
|
|
|
pop edi esi
|
|
|
|
call ntfs_unlock
|
|
|
|
xor eax, eax
|
|
|
|
ret
|
|
|
|
|