diff --git a/Sources/Commands/command_extract.cpp b/Sources/Commands/command_extract.cpp index 6f24a4e..e579427 100644 --- a/Sources/Commands/command_extract.cpp +++ b/Sources/Commands/command_extract.cpp @@ -50,7 +50,7 @@ int extract_file(std::shared_ptr disk, std::shared_ptr vol, std::s std::cout << "[+] Extracting file..." << std::endl; std::wstring output_filename = utils::strings::from_string(opts->output); - ULONG64 written = record->data_to_file(output_filename, stream_name); + ULONG64 written = record->data_to_file(output_filename, stream_name, true); std::cout << "[+] " << written << " bytes (" + utils::format::size(written) << ") written" << std::endl; if (stdinfo) diff --git a/Sources/Commands/command_shell.cpp b/Sources/Commands/command_shell.cpp index 61ebf74..4f6f810 100644 --- a/Sources/Commands/command_shell.cpp +++ b/Sources/Commands/command_shell.cpp @@ -358,7 +358,7 @@ int explorer(std::shared_ptr disk, std::shared_ptr vol) std::shared_ptr copyfrom_record = explorer->mft()->record_from_number(entry->record_number()); if (!(copyfrom_record->header()->flag & MFT_RECORD_IS_DIRECTORY)) { - if (copyfrom_record->data_to_file(utils::strings::from_string(copyto).c_str(), from_file.second)) + if (copyfrom_record->data_to_file(utils::strings::from_string(copyto).c_str(), from_file.second, true)) { std::cout << "1 file copied" << std::endl; } diff --git a/Sources/Commands/command_undelete.cpp b/Sources/Commands/command_undelete.cpp index c710200..bc99b90 100644 --- a/Sources/Commands/command_undelete.cpp +++ b/Sources/Commands/command_undelete.cpp @@ -283,7 +283,7 @@ int extract_deleted_file(std::shared_ptr disk, std::shared_ptr vol std::cout << " to " << opts->output << std::endl; std::wstring output(opts->output.begin(), opts->output.end()); - record->data_to_file(output); + record->data_to_file(output, "", true); std::cout << "[+] " << record->datasize() << " bytes written" << std::endl; } diff --git a/Sources/Commands/command_usn.cpp b/Sources/Commands/command_usn.cpp index 04a837a..578c8c3 100644 --- a/Sources/Commands/command_usn.cpp +++ b/Sources/Commands/command_usn.cpp @@ -52,7 +52,7 @@ int print_usn_journal(std::shared_ptr disk, std::shared_ptr vol, c ULONG64 processed_count = 0; ULONG64 filled_size = 0; - std::cout << "[+] Reading $J" << std::endl; + std::cout << "[+] Creating " << output << std::endl; HANDLE houtput = CreateFileA(output.c_str(), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); if (houtput == INVALID_HANDLE_VALUE) @@ -82,7 +82,7 @@ int print_usn_journal(std::shared_ptr disk, std::shared_ptr vol, c for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true)) { - read += cluster_size; + read += block.second; memcpy(clusterBuf.data() + filled_size, block.first, block.second); filled_size += block.second; @@ -152,7 +152,7 @@ int print_usn_journal(std::shared_ptr disk, std::shared_ptr vol, c for (auto& block : record->process_data(MFT_ATTRIBUTE_DATA_USN_NAME, cluster_size, true)) { - read += cluster_size; + read += block.second; PUSN_RECORD_COMMON_HEADER header = (PUSN_RECORD_COMMON_HEADER)clusterBuf.data(); diff --git a/Sources/NTFS/ntfs_mft.cpp b/Sources/NTFS/ntfs_mft.cpp index edb3145..f11a102 100644 --- a/Sources/NTFS/ntfs_mft.cpp +++ b/Sources/NTFS/ntfs_mft.cpp @@ -111,14 +111,12 @@ std::shared_ptr MFT::record_from_number(ULONG64 record_number) } if (offset == -1LL) { - wprintf(L"Failed to find record offset for inode 0x%08llx", record_number); return nullptr; } _reader->seek(offset); if (!_reader->read(buffer->address() + sector * _reader->boot_record()->bytePerSector, _reader->boot_record()->bytePerSector)) { - wprintf(L"Failed to read record at offset 0x%08llx", offset); return nullptr; } } diff --git a/Sources/NTFS/ntfs_mft_record.cpp b/Sources/NTFS/ntfs_mft_record.cpp index a6f620f..f6463e0 100644 --- a/Sources/NTFS/ntfs_mft_record.cpp +++ b/Sources/NTFS/ntfs_mft_record.cpp @@ -605,8 +605,6 @@ cppcoro::generator> MFTRecord::process_data_raw(std::str if (attribute_list_data != nullptr) { DWORD offset = 0; - bool is_first_data = true; - ULONG64 filesize_left = 0; while (offset + sizeof(MFT_RECORD_ATTRIBUTE) <= attribute_list_data->size()) { @@ -619,17 +617,9 @@ cppcoro::generator> MFTRecord::process_data_raw(std::str if (next_inode != _record->data()->MFTRecordIndex) { std::shared_ptr extRecordHeader = _mft->record_from_number(pAttrListI->recordNumber & 0xffffffffffff); - - if (is_first_data) - { - filesize_left = extRecordHeader->datasize(stream_name); - is_first_data = false; - } - for (std::pair b : extRecordHeader->process_data_raw(stream_name, block_size, skip_sparse)) { co_yield b; - filesize_left -= b.second; } } } @@ -654,16 +644,21 @@ cppcoro::generator> MFTRecord::process_data_raw(std::str cppcoro::generator> MFTRecord::process_data(std::string stream_name, DWORD block_size, bool skip_sparse) { ULONG64 final_datasize = datasize("", true); - std::cout << final_datasize << std::endl; + bool check_size = final_datasize != 0; // ex: no real size for usn for (auto& block : process_data_raw(stream_name, block_size, skip_sparse)) { - if (block.second > final_datasize) + if (block.second > final_datasize && check_size) { block.second = static_cast(final_datasize); } + co_yield block; - final_datasize -= block.second; + + if (check_size) + { + final_datasize -= block.second; + } } }