标签:
出处:http://bbs.intohard.com/thread-263652-1-1.html
头文件:data.h
1 #include<iostream> 2 #include<math.h> 3 #include<windows.h> 4 using namespace std; 5 char devName[] = "\\\\.\\PhysicalDrive1";//方便修改读取哪个磁盘 6 //char devName[] = "\\\\.\\G:"; 7 int getTall(unsigned char buf) 8 { 9 return buf/16; 10 } 11 //获得高位数 12 int getLow(unsigned char buf) 13 { 14 return buf%16; 15 } 16 //获得低位数 17 18 class Read//读取扇区(包括MBR、DBR一个扇区和MFT俩个扇区) 19 {public: 20 void sector(int i,unsigned char buf[]) //读取MBR和DBR这个512字节的部分 21 { 22 HANDLE hFile = CreateFile(devName, 23 GENERIC_READ|GENERIC_WRITE, 24 FILE_SHARE_READ, 25 NULL, 26 OPEN_EXISTING, 27 0,//FILE_FLAG_OVERLAPPED, 28 NULL); 29 30 DWORD RSize=0; 31 OVERLAPPED overlap; 32 memset(&overlap,0,sizeof(overlap)); 33 overlap.OffsetHigh = (DWORD)(i*512ull / 0x100000000ull ); 34 overlap.Offset = (DWORD)(i*512ull % 0x100000000ull ); 35 ReadFile(hFile, buf, 512, &RSize, &overlap); 36 CloseHandle(hFile); 37 } 38 void mft(int i,unsigned char buf[])//读取MFT这个俩个扇区1024个字节的 39 { 40 HANDLE hFile = CreateFile(devName, 41 GENERIC_READ|GENERIC_WRITE, 42 FILE_SHARE_READ, 43 NULL, 44 OPEN_EXISTING, 45 0,//FILE_FLAG_OVERLAPPED, 46 NULL); 47 48 DWORD RSize=0; 49 OVERLAPPED overlap; 50 memset(&overlap,0,sizeof(overlap)); 51 overlap.OffsetHigh = (DWORD)(i*512ull / 0x100000000ull ); 52 overlap.Offset = (DWORD)(i*512ull % 0x100000000ull ); 53 ReadFile(hFile, buf, 1024, &RSize, &overlap); 54 CloseHandle(hFile); 55 } 56 void rootsector(int i,unsigned char buf[])// 57 { 58 HANDLE hFile = CreateFile(devName, 59 GENERIC_READ|GENERIC_WRITE, 60 FILE_SHARE_READ, 61 NULL, 62 OPEN_EXISTING, 63 0,//FILE_FLAG_OVERLAPPED, 64 NULL); 65 66 DWORD RSize=0; 67 OVERLAPPED overlap; 68 memset(&overlap,0,sizeof(overlap)); 69 overlap.OffsetHigh = (DWORD)(i*512ull / 0x100000000ull ); 70 overlap.Offset = (DWORD)(i*512ull % 0x100000000ull ); 71 ReadFile(hFile, buf, 4096, &RSize, &overlap); 72 CloseHandle(hFile); 73 } 74 }; 75 76 class Judge 77 {public: 78 int MFTproperty(int k,int j,unsigned char buf[1024])//返回属性在MFT中的位置 79 { 80 for(int i=0;i<k;i=i+8)//8个字节一跳扫描根目录MFT记录 81 { 82 if(buf[i]==j&&buf[i+1]==0&&buf[i+2]==0&&buf[i+3]==0)//确定A0属性 83 { 84 return i; 85 break; 86 } 87 } 88 } 89 int MFTallproperty(int k,unsigned char buf[1024]) 90 { 91 //int Exist=0;//用于判断属性是否存在,以及该属性有几个 92 int next=0; 93 int offset=buf[20]; 94 int Lastoffset=0; 95 while(offset!=0) 96 { 97 next=offset+buf[offset+4]+buf[offset+5]*pow(16.0,2.0); 98 if(buf[offset]<=k)//判断有没有这个属性 99 { 100 if(buf[offset]==k&&buf[next]>k) 101 { 102 Lastoffset=offset; 103 return Lastoffset; 104 } 105 } 106 else 107 return 1024; 108 offset+=buf[offset+4]+buf[offset+5]*pow(16.0,2.0); 109 } 110 } 111 void Runlist(unsigned char buf[1024],int i,int s1[100],int s2[100] )//读取数据流 112 { 113 if(buf[i+8]=1)//判断是否为非常驻属性 114 { 115 int num=0; 116 int tall,low; 117 int j=buf[i+32]+i; //runlist相对于该MFT开头的偏移 118 int Sizebuf[16]; 119 int Startbuf[16]; 120 int size=0; 121 int start=0; 122 while(buf[j]!=0) 123 { 124 tall=getTall(buf[j]); 125 low=getLow(buf[j]); 126 int n1=0;//计数 127 for(int k=low;k>=1;k--)//将数据流大小取出 128 { 129 Sizebuf[n1]=getTall(buf[j+k]); 130 Sizebuf[n1+1]=getLow(buf[j+k]); 131 size+=Sizebuf[n1]*pow(double(16),double(2*low-1-n1)); 132 size+=Sizebuf[n1+1]*pow(double(16),double(2*low-2-n1)); 133 n1+=2; 134 135 } 136 //cout<<size<<endl; 137 s1[num]=size; 138 //cout<<s1[num]<<endl; 139 int n2=0;//计数 140 for(int k=tall;k>=1;k--)//将数据起始位置取出 141 { 142 Startbuf[n2]=getTall(buf[j+low+k]); 143 Startbuf[n2+1]=getLow(buf[j+low+k]); 144 start+=Startbuf[n2]*pow(double(16),double(2*tall-1-n2)); 145 start+=Startbuf[n2+1]*pow(double(16),double(2*tall-2-n2));//相对于DBR的偏移 146 n2+=2; 147 } 148 //cout<<start<<endl; 149 s2[num]=start; 150 //cout<<s2[num]<<endl; 151 j+=tall+low+1; 152 num++; 153 } 154 155 } 156 } 157 }; 158 159 /*class MFTAnalysis 160 {public: 161 void 30H() 162 { 163 164 } 165 void 80H() 166 { 167 } 168 void 90H() 169 { 170 } 171 void A0H() 172 { 173 } 174 }; 175 176 /*class Change 177 {public: 178 int offset(int k,int sizeStart,unsigned char buf) 179 { 180 int offset=0; 181 int start[16]; 182 for(int i=0;i<=k;i=i+2)//按位数存放分区起始位置扇区号 183 { 184 start[i]=getTall(buf[sizeStart+(k-1)/2]); 185 start[i+1]=getLow(buf[sizeStart+(k-1)/2]); 186 sizeStart=sizeStart-1; 187 } 188 for(int i=0;i<=k;i++) 189 { 190 offset+= start[i]*pow(double(16),double(k-i));//pow使用必须要对数值进行定义否则无法使用 191 } 192 return offset; 193 } 194 195 };*/
主文件:main.cpp
1 #include<iostream> 2 #include<math.h> 3 #include"date.h" 4 #include<windows.h> 5 6 using namespace std; 7 8 int main() 9 { 10 int PartitionStart=454;//定义分区表开始位置 11 12 int DBRstart[16]={0};//用于转换DBR起始位置数值 13 int DBRoffset={0};//DBR偏移地址 14 int MFToffset=0;//MFT记录的偏移 15 int MFTnum=0;//24 16 17 unsigned char MBRbuf[512]={0};//存放MBR 18 unsigned char MFTbuf[1024]={0};//存放一个MFT记录 19 20 int MFT30Hstart=0;//存放MFT中30属性在MFT记录中的位置 21 int MFT80Hstart=0;//存放MFT中80属性在MFT记录中的位置 22 int MFT90Hstart=0;//存放MFT中90属性在MFT记录中的位置 23 int MFTA0Hstart=0;//存放MFT中A0属性在MFT记录中的位置 24 int MFT80HRunliststart=0;//存放MFT中80属性中数据流的位置 25 int MFT30Hsize=0;//存放MFT中30属性在MFT记录中的大小 26 int MFT80Hsize=0;//存放MFT中80属性在MFT记录中的大小 27 int MFT90Hsize=0;//存放MFT中90属性在MFT记录中的大小 28 int MFTA0Hsize=0;//存放MFT中A0属性在MFT记录中的大小 29 30 //读取MBR 31 Read MBR; 32 MBR.sector(0,MBRbuf); 33 //获取DBR相对于磁盘开始的偏移 34 for(int i=0;i<=7;i=i+2)//按位数存放分区起始位置扇区号 35 { 36 DBRstart[i]=getTall(MBRbuf[PartitionStart+3]); 37 DBRstart[i+1]=getLow(MBRbuf[PartitionStart+3]); 38 PartitionStart=PartitionStart-1; 39 } 40 for(int i=0;i<=7;i++) 41 { 42 DBRoffset+= DBRstart[i]*pow(16.0,(7.0-i));//pow使用必须要对数值进行定义否则无法使用 43 } 44 MFToffset=DBRoffset+6291456+MFTnum*2; 45 // 46 // 47 // 48 //扫描所有MFT的信息 49 while(MFTnum>=0) 50 { 51 Read MFT; 52 MFT.mft(MFToffset,MFTbuf); 53 if(MFTbuf[56]==255&&(MFTnum<16||MFTnum>23)) 54 break; 55 if(MFTnum>=16&&MFTnum<=23) 56 cout<<"该MFT记录为系统保留记录"<<endl; 57 // 58 //30属性部分 59 // 60 int Parentdirectory=0;//父目录的文件记录号 61 Judge MFT30H;//获得30H属性 62 MFT30Hstart=MFT30H.MFTallproperty(48,MFTbuf);//30属性起始位置 63 if(MFT30Hstart<1024) 64 { 65 MFT30Hsize=MFTbuf[MFT30Hstart+4]+MFTbuf[MFT30Hstart+5]*pow(16.0,2.0);//30属性的大小 66 for(int i=0;i<6;i++) 67 { 68 Parentdirectory+=MFTbuf[MFT30Hstart+24+i]*pow(16.0,i); 69 } 70 cout<<Parentdirectory<<endl; 71 for(int i=MFT30Hstart+90;i<MFT30Hstart+MFT30Hsize;i++)//输出文件名 72 { 73 //printf("%0X ",MFTbuf[i]); 74 } 75 } 76 else 77 { 78 cout<<"没有30属性"<<endl; 79 } 80 //80属性部分 81 // 82 Judge MFT80H;//获得80H属性 83 MFT80Hstart=MFT80H.MFTallproperty(128,MFTbuf);//80属性起始位置 84 //cout<<MFT80Hstart<<endl; 85 if(MFT80Hstart<1024) 86 { 87 if(MFTbuf[MFT80Hstart+8]!=0)//判断是否为常驻属性 88 { 89 MFT80HRunliststart=MFTbuf[MFT80Hstart+32]; 90 int tall=0; 91 int low=0; 92 while(MFTbuf[MFT80HRunliststart+MFT80Hstart]!=0)//获取80属性的数据流 93 { 94 tall=getTall(MFTbuf[MFT80HRunliststart+MFT80Hstart]); 95 low=getLow(MFTbuf[MFT80HRunliststart+MFT80Hstart]); 96 for(int i=0;i<=low+tall;i++) 97 { 98 printf("%0X ",MFTbuf[MFT80HRunliststart+MFT80Hstart+i]); 99 } 100 printf("数据流"); 101 MFT80HRunliststart+=tall+low+1; 102 } 103 printf("\n"); 104 } 105 else 106 { 107 cout<<"常驻属性"<<endl; 108 } 109 110 } 111 else 112 { 113 MFT80HRunliststart=-1; 114 //cout<<MFT80HRunliststart<<dl;endl; 115 cout<<"没有80属性"<<endl; 116 } 117 //90属性 118 // 119 Judge MFT90H; 120 MFT90Hstart=MFT90H.MFTallproperty(144,MFTbuf);//90属性起始位置 121 if(MFT90Hstart<1024) 122 { 123 cout<<MFT90Hstart<<endl; 124 } 125 else 126 { 127 cout<<"没有90H属性"<<endl; 128 } 129 //A0属性 130 // 131 Judge MFTA0H;//获得A0H属性 132 MFTA0Hstart=MFTA0H.MFTallproperty(160,MFTbuf);//A0属性起始位置 133 //cout<<MFTA0Hstart<<endl; 134 135 /*for(int i=0;i<1024;i++) 136 { 137 printf("%0X",MFTbuf[i]); 138 }*/ 139 printf("%d\n",MFTnum); 140 printf("\n"); 141 142 MFTnum++; 143 MFToffset+=2; 144 145 } 146 return 0; 147 }
标签:
原文地址:http://www.cnblogs.com/javazhu/p/4817460.html
