From 469708114ea78c93a15665527e6d2b1757b40fe0 Mon Sep 17 00:00:00 2001
From: thewhiteninja <40250307+thewhiteninja@users.noreply.github.com>
Date: Tue, 15 Mar 2022 02:05:29 +0100
Subject: [PATCH] remove real_size

---
 Sources/Commands/command_usn.cpp |  6 +++---
 Sources/NTFS/ntfs_mft_record.cpp | 37 +++++++++++++-------------------
 Sources/NTFS/ntfs_mft_record.h   |  6 +++---
 3 files changed, 21 insertions(+), 28 deletions(-)

diff --git a/Sources/Commands/command_usn.cpp b/Sources/Commands/command_usn.cpp
index 6b3b0f5..04a837a 100644
--- a/Sources/Commands/command_usn.cpp
+++ b/Sources/Commands/command_usn.cpp
@@ -63,7 +63,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 
 	if (format == "raw")
 	{
-		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, 1024 * 1024, true, true))
+		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, 1024 * 1024, true))
 		{
 			std::cout << "\r[+] Processing data: " << utils::format::size(processed_count) << "     ";
 			processed_count += block.second;
@@ -80,7 +80,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 		DWORD header_size = 0;
 		if (!FAILED(SizeTToDWord(csv_header.size(), &header_size))) WriteFile(houtput, csv_header.c_str(), header_size, &written, NULL);
 
-		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true, true))
+		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true))
 		{
 			read += cluster_size;
 
@@ -150,7 +150,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 		DWORD read = 0;
 		WriteFile(houtput, "[\n", 2, &written, NULL);
 
-		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true, true))
+		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true))
 		{
 			read += cluster_size;
 
diff --git a/Sources/NTFS/ntfs_mft_record.cpp b/Sources/NTFS/ntfs_mft_record.cpp
index dd288ca..a6f620f 100644
--- a/Sources/NTFS/ntfs_mft_record.cpp
+++ b/Sources/NTFS/ntfs_mft_record.cpp
@@ -376,14 +376,14 @@ PMFT_RECORD_ATTRIBUTE_HEADER MFTRecord::attribute_header(DWORD type, std::string
 	return nullptr;
 }
 
-ULONG64 MFTRecord::data_to_file(std::wstring dest_filename, std::string stream_name, bool real_size)
+ULONG64 MFTRecord::data_to_file(std::wstring dest_filename, std::string stream_name, bool skip_sparse)
 {
 	ULONG64 written_bytes = 0ULL;
 
 	HANDLE output = CreateFileW(dest_filename.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
 	if (output != INVALID_HANDLE_VALUE)
 	{
-		for (auto& data_block : process_data(stream_name, 1024 * 1024, real_size))
+		for (auto& data_block : process_data(stream_name, 1024 * 1024, skip_sparse))
 		{
 			DWORD written_block;
 			if (!WriteFile(output, data_block.first, data_block.second, &written_block, NULL))
@@ -405,7 +405,7 @@ ULONG64 MFTRecord::data_to_file(std::wstring dest_filename, std::string stream_n
 	return written_bytes;
 }
 
-cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::string stream_name, DWORD block_size, bool real_size, bool skip_sparse)
+cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::string stream_name, DWORD block_size, bool skip_sparse)
 {
 	PMFT_RECORD_ATTRIBUTE_HEADER pAttributeData = attribute_header($DATA, stream_name);
 	if (pAttributeData != NULL)
@@ -458,7 +458,7 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 						for (DWORD64 i = 0; i < total_size; i += block_size)
 						{
 							fixed_blocksize = DWORD(min(pAttributeData->Form.Nonresident.FileSize - writeSize, block_size));
-							co_yield std::pair<PBYTE, DWORD>(buffer_decompressed.data(), real_size ? static_cast<DWORD>(fixed_blocksize) : block_size);
+							co_yield std::pair<PBYTE, DWORD>(buffer_decompressed.data(), static_cast<DWORD>(fixed_blocksize));
 							writeSize += fixed_blocksize;
 						}
 					}
@@ -566,7 +566,7 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 							for (DWORD64 i = 0; i < total_size; i += block_size)
 							{
 								fixed_blocksize = DWORD(min(pAttributeData->Form.Nonresident.FileSize - writeSize, block_size));
-								co_yield std::pair<PBYTE, DWORD>(buffer.data(), real_size ? static_cast<DWORD>(fixed_blocksize) : block_size);
+								co_yield std::pair<PBYTE, DWORD>(buffer.data(), static_cast<DWORD>(fixed_blocksize));
 								writeSize += fixed_blocksize;
 							}
 						}
@@ -585,16 +585,8 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 								break;
 							}
 							read_block_size = min(read_block_size, total_size - i);
-							if (pAttributeData->Form.Nonresident.FileSize)
-							{
-								fixed_blocksize = DWORD(min(pAttributeData->Form.Nonresident.FileSize - writeSize, read_block_size));
-							}
-							else
-							{
-								fixed_blocksize = read_block_size;
-
-							}
-							co_yield std::pair<PBYTE, DWORD>(buffer.data(), real_size ? static_cast<DWORD>(fixed_blocksize) : static_cast<DWORD>(read_block_size));
+							fixed_blocksize = read_block_size;
+							co_yield std::pair<PBYTE, DWORD>(buffer.data(), static_cast<DWORD>(fixed_blocksize));
 							writeSize += fixed_blocksize;
 						}
 					}
@@ -634,12 +626,8 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 								is_first_data = false;
 							}
 
-							for (std::pair<PBYTE, DWORD> b : extRecordHeader->process_data_raw(stream_name, block_size, real_size, skip_sparse))
+							for (std::pair<PBYTE, DWORD> b : extRecordHeader->process_data_raw(stream_name, block_size, skip_sparse))
 							{
-								if (filesize_left < b.second && real_size)
-								{
-									b.second = static_cast<DWORD>(filesize_left);
-								}
 								co_yield b;
 								filesize_left -= b.second;
 							}
@@ -663,14 +651,19 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 	}
 }
 
-cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data(std::string stream_name, DWORD block_size, bool real_size, bool skip_sparse)
+cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data(std::string stream_name, DWORD block_size, bool skip_sparse)
 {
 	ULONG64 final_datasize = datasize("", true);
 	std::cout << final_datasize << std::endl;
 
-	for (auto& block : process_data_raw(stream_name, block_size, real_size, skip_sparse))
+	for (auto& block : process_data_raw(stream_name, block_size, skip_sparse))
 	{
+		if (block.second > final_datasize)
+		{
+			block.second = static_cast<DWORD>(final_datasize);
+		}
 		co_yield block;
+		final_datasize -= block.second;
 	}
 }
 
diff --git a/Sources/NTFS/ntfs_mft_record.h b/Sources/NTFS/ntfs_mft_record.h
index fae4485..de668db 100644
--- a/Sources/NTFS/ntfs_mft_record.h
+++ b/Sources/NTFS/ntfs_mft_record.h
@@ -118,11 +118,11 @@ class MFTRecord
 
 	std::shared_ptr<Buffer<PBYTE>> data(std::string stream_name = "", bool real_size = true);
 
-	ULONG64 data_to_file(std::wstring dest_filename, std::string stream_name = "", bool real_size = true);
+	ULONG64 data_to_file(std::wstring dest_filename, std::string stream_name = "", bool skip_sparse = false);
 
-	cppcoro::generator<std::pair<PBYTE, DWORD>> process_data_raw(std::string stream_name = "", DWORD blocksize = 1024 * 1024, bool real_size = true, bool skip_sparse = false);
+	cppcoro::generator<std::pair<PBYTE, DWORD>> process_data_raw(std::string stream_name = "", DWORD blocksize = 1024 * 1024, bool skip_sparse = false);
 
-	cppcoro::generator<std::pair<PBYTE, DWORD>> process_data(std::string stream_name = "", DWORD blocksize = 1024 * 1024, bool real_size = true, bool skip_sparse = false);
+	cppcoro::generator<std::pair<PBYTE, DWORD>> process_data(std::string stream_name = "", DWORD blocksize = 1024 * 1024, bool skip_sparse = false);
 
 	std::vector<std::string> alternate_data_names();