/* *  dump.c *  Output functions for the ntfs tools * *  Copyright (C) 1995-1997 Martin von L鰓is *  Copyright (C) 1997,1999 R間is Duchesne *  Copyright (c) 1999 Richard Russon * *  1999/04/05: Merged Security Descriptor dump code from Richard --red */#include <errno.h>#include "ntfstypes.h"#include "struct.h"#include "dump.h"#include "config.h"#include "util.h"#include "nttools.h"#include "inode.h"#include "dir.h"#include "support.h"#include <stdio.h>#ifdef HAVE_UNISTD_H#include <unistd.h>#endif#ifdef HAVE_IO_H#include <io.h>#endif#include <ctype.h>#include <stdlib.h>#include "macros.h"/* attribute names. Maybe this gets merged into ntfs_volume some day */static char* attr_names=0;static int attr_names_size;/* Dump a block of memory starting at buf. Display length bytes. The displayed   index of the first byte is start */void dump_mem(unsigned char *buf, int start, int length){	int offs,i;	for(offs=0;offs<length;offs+=16)	{		printf("%8.8X ",start+offs);		for(i=0;i<16;i++)printf("%2X ",buf[offs+i]);		for(i=0;i<16;i++)			if(buf[offs+i]>31 && buf[offs+i]<128)putchar(buf[offs+i]);			else putchar('.');		putchar('\n');	}}	/* dump from the raw volume, starting at position */void dump(ntfs_volume *vol, ntfs_size_t position, int start, int length){	int offset;	ntfs_lseek(NTFS_FD(vol),position,SEEK_SET);	for(offset=0;length==-1 || offset<length;offset+=16)	{		int i;		unsigned char buf[16];		if(read(NTFS_FD(vol),buf,16)!=16)		{perror("read");return;}		printf("%8.8X ",start+offset);		for(i=0;i<16;i++)			printf("%2X ",buf[i]);		for(i=0;i<16;i++)			if(buf[i]>31 && buf[i]<128)putchar(buf[i]);			else putchar('.');		putchar('\n');	}}static void uniprintz(char *first){	while(*first){		putchar(*first++);		if(*first++){			printf("!!!!Error printing string\n");			return;		}	}}/* Find a string on the volume, starting at position. If searching for Unicode   strings, the string argument should already be Unicode */#define BSIZE	32768int grep(ntfs_volume *vol, ntfs_size_t position, int length,	 unsigned char *string, int stringlen, int ignore_case){	int offset;	int b_offs;	int i;	unsigned char buf[2*BSIZE];	if(ignore_case)		for(i=0;string[i];i++)string[i]=tolower(string[i]);	ntfs_lseek(NTFS_FD(vol),position,SEEK_SET);	read(NTFS_FD(vol),buf,BSIZE);	if(ignore_case)		for(i=0;i<BSIZE;i++)buf[i]=tolower(buf[i]);	for(offset=b_offs=0;length==-1 || offset<length;offset+=BSIZE)	{		if(read(NTFS_FD(vol),buf+BSIZE,BSIZE)!=BSIZE)		{perror("read");return -1;}		if(ignore_case)			for(i=BSIZE;i<2*BSIZE;i++)buf[i]=tolower(buf[i]);		for(;b_offs<BSIZE;b_offs++)			if(buf[b_offs]==string[0])			{				for(i=0;i<stringlen;i++)					if(buf[b_offs+i]!=string[i])						break;				if(i==stringlen)return position+offset+b_offs;			}		ntfs_memcpy(buf,buf+BSIZE,BSIZE);		b_offs-=BSIZE;	}	return -1;}static intprint_attr_type(ntfs_volume* vol,int type){	int offset,error;	ntfs_u8 *buf=0;	if(!attr_names){		ntfs_attribute *data;		ntfs_io io;		ntfs_inode attrdef;		error=ntfs_init_inode(&attrdef,vol,FILE_ATTRDEF);		if(error)return error;		offset=0;		data=ntfs_find_attr(&attrdef,vol->at_data,NULL);		if(!data){			free(buf);			return EINVAL;		}		buf=malloc(data->size);		if(!buf)return ENOMEM;		io.fn_put=ntfs_put;		io.fn_get=ntfs_get;		io.do_read=1;		io.param=buf;		io.size=4096;		error=ntfs_readwrite_attr(&attrdef,data,offset,&io);		if(error)return error;		attr_names=buf;		attr_names_size=data->size;	}	for(offset=0;offset<attr_names_size;offset+=0xA0)		if(NTFS_GETU32(attr_names+offset+0x80)==type){			uniprintz(attr_names+offset+2);			break;		}	if(offset>=attr_names_size)		printf("Unknown type");	return 0;}			/* print the attribute list for the MFT record at offset on the volume */void list_attributes(ntfs_volume *vol, ntfs_size_t offset){	char rec[4096];	ntfs_lseek(NTFS_FD(vol),offset,SEEK_SET);	if(read(NTFS_FD(vol),rec,sizeof(rec))!=sizeof(rec)){		perror("read");		return;	}	if(!ntfs_check_mft_record(vol,rec)){		fprintf(stderr,"Not a mft record\n");		return;	}	list_attr_mem(vol,rec);}/* dump the standard information attribute */static void dump_standard_information(ntfs_u8 *start){	printf("\tCreation time ");	print_time(NTFS_GETU64(start));	printf("\n\tModification time ");	print_time(NTFS_GETU64(start + 0x8));	printf("\n\tMFT Modification time ");	print_time(NTFS_GETU64(start + 0x10));	printf("\n\tAccess time ");	print_time(NTFS_GETU64(start + 0x18));	printf("\n");}/* dump the attribute list attribute */static void dump_attribute_list(ntfs_u8 *start, ntfs_u8 *stop){	while(start!=stop){		printf("\tType %X,MFT# %X,Start VCN %X ",NTFS_GETU32(start),		       NTFS_GETU32(start+0x10),NTFS_GETU32(start+0x8));		uniprint(start+0x1A,NTFS_GETU8(start+0x6));		start+=NTFS_GETU16(start+4);		putchar('\n');	}}static void print_name(ntfs_u8 *first){        int length=*(unsigned char*)first++;        switch(*first++)        {        case 0: printf("Posix-Name:");break;        case 1: printf("Unicode-Name:");break;        case 2: printf("DOS-Name:");break;        case 3: printf("Unicode+DOS:");break;        default:                printf("Don't know how to read the name\n");                return;        }        uniprint(first,length);        puts("");}/* dump the filename attribute */static void dump_filename(ntfs_u8 *start){	printf("\t");	print_name(start+0x40);	printf("\tIndexed in 0x%X\n",NTFS_GETU32(start));}/* dump a sid */long dump_sid (ntfs_u8 *sid){	int revision;	int sa_count;	int i;	ntfs_u64 ident_auth = 0;	revision = *sid;			/* Should always be 1 */	sid++;	sa_count = *sid;			/* Number of Sub-authorities */	sid++;	for (i = 0; i < 6; i ++)	{		ident_auth <<= 8;		ident_auth += *sid;		sid++;	}	printf ("S-%d-%Lu", revision, ident_auth);	for (i = 0; i < sa_count; i++)	{		printf ("-%u", *((ntfs_u32*) sid));		sid += 4;	}	return 8 + (sa_count * 4);}void display_access_flags (ntfs_u8 flags){	if (flags & 0x1) printf (" Obj inh ACE");	if (flags & 0x2) printf (" Con inh ACE");	if (flags & 0x4) printf (" No prop inh");	if (flags & 0x8) printf (" Inh onlyACE");}void display_access_mask (ntfs_u32 mask){	if ((mask & 0x00120089) == 0x00120089) printf ("R"); else printf (".");	if ((mask & 0x00120116) == 0x00120116) printf ("W"); else printf (".");	if ((mask & 0x001200a0) == 0x001200a0) printf ("X"); else printf (".");	if ((mask & 0x00010000) == 0x00010000) printf ("D"); else printf (".");	if ((mask & 0x00040000) == 0x00040000) printf ("P"); else printf (".");	if ((mask & 0x00080000) == 0x00080000) printf ("O"); else printf (".");}void display_access_allowed_ace (ntfs_u8 *ace){	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);	ntfs_u8  flags = NTFS_GETU8  (ace + 1);	display_access_mask (mask);	display_access_flags (flags);}void display_access_denied_ace (ntfs_u8 *ace){	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);	ntfs_u8  flags = NTFS_GETU8  (ace + 1);	display_access_mask (mask);	display_access_flags (flags);}void display_system_audit_ace (ntfs_u8 *ace){	ntfs_u32 mask  = NTFS_GETU32 (ace + 4);	ntfs_u8  flags = NTFS_GETU8  (ace + 1);	display_access_mask (mask);	if (flags & 0x80) printf (" Success ");	if (flags & 0x40) printf (" Failure ");}long display_ace (ntfs_u8 *ace){	ntfs_u8  type     = NTFS_GETU8  (ace);	//ntfs_u8  flags    = NTFS_GETU8  (ace + 1);	ntfs_u16 ace_size = NTFS_GETU16 (ace + 2);	ntfs_u32 mask     = NTFS_GETU32 (ace + 4);	long sid_size     = 0;	switch (type)	{		case 0x00:			printf ("\t\tAccess allowed: ");			display_access_allowed_ace(ace);			break;		case 0x01:			printf ("\t\tAccess denied:  ");			display_access_denied_ace(ace);			break;		case 0x02:			printf ("\t\tSystem audit:   ");			display_system_audit_ace(ace);			break;		default:			printf ("\t\tUnknown:        %#010x\n", mask);			return ace_size;	}	printf (" ");	sid_size = dump_sid (ace + 8);	printf ("\n");	if (sid_size != ace_size) {		// I've seen this happen	}	return ace_size;}long display_acl (ntfs_u8 *acl, int len){	//ntfs_u8  version  = NTFS_GETU8  (acl);	//ntfs_u8  unknown1 = NTFS_GETU8  (acl + 1);	ntfs_u32 acl_size = NTFS_GETU16 (acl + 2);	ntfs_u32 num_aces = NTFS_GETU16 (acl + 4);	//ntfs_u32 unknown2 = NTFS_GETU16 (acl + 6);	long l;	long size = 8;	printf (" %d entr%s\n", num_aces, num_aces == 1 ? "y" : "ies");	if (acl_size < len)	{		for (l = 0; l < num_aces; l++)		{			size += display_ace (acl + size);		}	}	return size;}/* dump the security descriptor attribute */static void dump_security_descriptor(ntfs_u8 *start, int len){	//ntfs_u32 unknown       = NTFS_GETU32 (start);		// This looks like flags	ntfs_u32 off_user      = NTFS_GETU32 (start + 0x4);	// user SID	ntfs_u32 off_group     = NTFS_GETU32 (start + 0x8);	// group SID	ntfs_u32 off_acl_audit = NTFS_GETU32 (start + 0xC);	// ACL containing audit info	ntfs_u32 off_acl_perms = NTFS_GETU32 (start + 0x10);	// ACL containing permission info	/* When the Audit ACL is missing, its offset is zeroed */	if (off_acl_audit && off_acl_audit < len) {		printf ("\tACL - Audit");		display_acl (start + off_acl_audit, len);	}	if (off_acl_perms < len) {		printf ("\tACL - Permissions");		display_acl (start + off_acl_perms, len);	}	if (off_user < len) {		printf ("\tUser:  ");		dump_sid (start + off_user);		printf ("\n");	}	if (off_group < len) {		printf ("\tGroup: ");		dump_sid (start + off_group);