update commands after new process_data

thewhiteninja · Mar 15, 2022 · 8689970 · 8689970
1 parent 4697081
commit 8689970
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 21 deletions.
diff --git a/Sources/Commands/command_extract.cpp b/Sources/Commands/command_extract.cpp
@@ -50,7 +50,7 @@ int extract_file(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, std::s
 	std::cout << "[+] Extracting file..." << std::endl;
 	std::wstring output_filename = utils::strings::from_string(opts->output);
 
-	ULONG64 written = record->data_to_file(output_filename, stream_name);
+	ULONG64 written = record->data_to_file(output_filename, stream_name, true);
 	std::cout << "[+] " << written << " bytes (" + utils::format::size(written) << ") written" << std::endl;
 
 	if (stdinfo)

diff --git a/Sources/Commands/command_shell.cpp b/Sources/Commands/command_shell.cpp
@@ -358,7 +358,7 @@ int explorer(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol)
 							std::shared_ptr<MFTRecord> copyfrom_record = explorer->mft()->record_from_number(entry->record_number());
 							if (!(copyfrom_record->header()->flag & MFT_RECORD_IS_DIRECTORY))
 							{
-								if (copyfrom_record->data_to_file(utils::strings::from_string(copyto).c_str(), from_file.second))
+								if (copyfrom_record->data_to_file(utils::strings::from_string(copyto).c_str(), from_file.second, true))
 								{
 									std::cout << "1 file copied" << std::endl;
 								}

diff --git a/Sources/Commands/command_undelete.cpp b/Sources/Commands/command_undelete.cpp
@@ -283,7 +283,7 @@ int extract_deleted_file(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol
 		std::cout << " to " << opts->output << std::endl;
 
 		std::wstring output(opts->output.begin(), opts->output.end());
-		record->data_to_file(output);
+		record->data_to_file(output, "", true);
 
 		std::cout << "[+] " << record->datasize() << " bytes written" << std::endl;
 	}

diff --git a/Sources/Commands/command_usn.cpp b/Sources/Commands/command_usn.cpp
@@ -52,7 +52,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 	ULONG64 processed_count = 0;
 	ULONG64 filled_size = 0;
 
-	std::cout << "[+] Reading $J" << std::endl;
+	std::cout << "[+] Creating " << output << std::endl;
 
 	HANDLE houtput = CreateFileA(output.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
 	if (houtput == INVALID_HANDLE_VALUE)
@@ -82,7 +82,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 
 		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true))
 		{
-			read += cluster_size;
+			read += block.second;
 
 			memcpy(clusterBuf.data() + filled_size, block.first, block.second);
 			filled_size += block.second;
@@ -152,7 +152,7 @@ int print_usn_journal(std::shared_ptr<Disk> disk, std::shared_ptr<Volume> vol, c
 
 		for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true))
 		{
-			read += cluster_size;
+			read += block.second;
 
 			PUSN_RECORD_COMMON_HEADER header = (PUSN_RECORD_COMMON_HEADER)clusterBuf.data();
 

diff --git a/Sources/NTFS/ntfs_mft.cpp b/Sources/NTFS/ntfs_mft.cpp
@@ -111,14 +111,12 @@ std::shared_ptr<MFTRecord> MFT::record_from_number(ULONG64 record_number)
 		}
 		if (offset == -1LL)
 		{
-			wprintf(L"Failed to find record offset for inode 0x%08llx", record_number);
 			return nullptr;
 		}
 
 		_reader->seek(offset);
 		if (!_reader->read(buffer->address() + sector * _reader->boot_record()->bytePerSector, _reader->boot_record()->bytePerSector))
 		{
-			wprintf(L"Failed to read record at offset 0x%08llx", offset);
 			return nullptr;
 		}
 	}

diff --git a/Sources/NTFS/ntfs_mft_record.cpp b/Sources/NTFS/ntfs_mft_record.cpp
@@ -605,8 +605,6 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 			if (attribute_list_data != nullptr)
 			{
 				DWORD offset = 0;
-				bool is_first_data = true;
-				ULONG64 filesize_left = 0;
 
 				while (offset + sizeof(MFT_RECORD_ATTRIBUTE) <= attribute_list_data->size())
 				{
@@ -619,17 +617,9 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 						if (next_inode != _record->data()->MFTRecordIndex)
 						{
 							std::shared_ptr<MFTRecord> extRecordHeader = _mft->record_from_number(pAttrListI->recordNumber & 0xffffffffffff);
-
-							if (is_first_data)
-							{
-								filesize_left = extRecordHeader->datasize(stream_name);
-								is_first_data = false;
-							}
-
 							for (std::pair<PBYTE, DWORD> b : extRecordHeader->process_data_raw(stream_name, block_size, skip_sparse))
 							{
 								co_yield b;
-								filesize_left -= b.second;
 							}
 						}
 					}
@@ -654,16 +644,21 @@ cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data_raw(std::str
 cppcoro::generator<std::pair<PBYTE, DWORD>> MFTRecord::process_data(std::string stream_name, DWORD block_size, bool skip_sparse)
 {
 	ULONG64 final_datasize = datasize("", true);
-	std::cout << final_datasize << std::endl;
+	bool check_size = final_datasize != 0; // ex: no real size for usn
 
 	for (auto& block : process_data_raw(stream_name, block_size, skip_sparse))
 	{
-		if (block.second > final_datasize)
+		if (block.second > final_datasize && check_size)
 		{
 			block.second = static_cast<DWORD>(final_datasize);
 		}
+
 		co_yield block;
-		final_datasize -= block.second;
+
+		if (check_size)
+		{
+			final_datasize -= block.second;
+		}
 	}
 }