|
|
/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
Ntfs.h
Current Version Numbers:
Major.Minor Version: 3.1
Abstract:
This module defines the on-disk structure of the Ntfs file system.
An Ntfs volume consists of sectors of data allocated on a granularity called a cluster. The cluster factor is the number of sectors per cluster. Valid cluster factors are 1, 2, 4, 8, etc.
The Ntfs volume starts with a boot sector at LBN=0, and a duplicate boot sector at LBN=(number of sectors on the partition div 2). So a disk with N sectors start with two boot sectors as illustrated.
0 ... N/2 ... N +-----------+-------+------------+-------+------------+ |BootSector | ... | BootSector | ... | | +-----------+-------+------------+-------+------------+
The boot sector gives you the standard Bios Parameter Block, and tells you how many sectors are in the volume, and gives you the starting LCNs of the master file table (mft) and the duplicate master file table (mft2).
The master file table contains the file record segments for all of the volume. The first 16 or so file record segments are reserved for special files. Mft2 only mirrors the first three record segments.
0 1 2 3 4 5 6 7 8 9 ... +---+---+---+---+---+---+---+---+---+---+-----+ | M | M | L | V | A | R | B | B | B | Q | | | f | f | o | o | t | o | i | o | a | u | | | t | t | g | l | t | o | t | o | d | o | | | | 2 | F | D | r | t | M | t | C | t | ... | | | | i | a | D | D | a | | l | a | | | | | l | s | e | i | p | | u | | | | | | e | d | f | r | | | s | | | +---+---+---+---+---+---+---+---+---+---+-----+
Each file record segment starts with a file record segment header, and is followed by one or more attributes. Each attribute starts with an attribute record header. The attribute record denotes the attribute type, optional name, and value for the attribute. If the attribute is resident the value is contained in the file record and immediately follows the attribute record header. If the attribute is non-resident the value value is off in some other sectors on the disk.
+---------+-----------------+-------+ | File | Attrib : Name | | | Record | Record : and/or | ... | | Segment | Header : Attrib | | | Header | : Data | | +---------+-----------------+-------+
Now if we run out of space for storing attributes in the file record segment we allocate additional file record segments and insert in the first (or base) file record segment an attribute called the Attribute List. The attribute list indicates for every attribute associated with the file where the attribute can be found. This includes those in the base file record.
The value part of the attribute we're calling the attribute list is a list of sorted attribute list entries. Though illustrated here as resident the attribute list can be nonresident.
+---------+---------------------------+-----------------+-------+ | File | Attrib : Attrib : | Attrib : Name | | | Record | Record : List : ... | Record : and/or | ... | | Segment | Header : Entry : | Header : Attrib | | | Header | : : | : Data | | +---------+---------------------------+-----------------+-------+
| V
+---------+-----------------+-------+ | File | Attrib : Name | | | Record | Record : and/or | ... | | Segment | Header : Attrib | | | Header | : Data | | +---------+-----------------+-------+
This file defines all of the above structures and also lays out the structures for some predefined attributes values (e.g., standard information, etc).
Attributes are stored in ascending order in the file record and attribute list. The sorting is done by first sorting according to attribute type code, then attribute name, and lastly attribute value. NTFS guarantees that if two attributes of the same type code and name exist on a file then they must have different values, and the values must be resident.
The indexing attributes are the last interesting attribute. The data component of an index root attribute must always be resident and contains an index header followed by a list of index list entries.
+--------+------------------------+ | Attrib | : Index : | | Record | Index : List : ... | | Header | Header : Entry : | | | : : | +--------+------------------------+
Each index list entry contains the key for the index and a reference to the file record segment for the index. If ever we need to spill out of the file record segment we allocate an additional cluster from the disk (not file record segments). The storage for the additional clusters is the data part of an index allocation attribute. So what we wind up with is an index allocation attribute (non-resident) consisting of Index Allocation Buffers which are referenced by the b-tree used in in the index.
+--------+------------------------+-----+---------------------+ | Attrib | Index : Index : | | Attrib : Index | | Record | List : List : ... | ... | Record : Allocation | | Header | Header : Entry : | | Header : | | | : : | | : | +--------+------------------------+-----+---------------------+
| | (VCN within index allocation) V
+------------+------------------------------+ | Index | : Index : Index : | | Allocation | Index : List : List : ... | | Buffer | Header: Entry : Entry : | | | : : : | +------------+------------------------------+
Resident attributes are straight forward. Non-resident attributes require a little more work. If the attribute is non-resident then following the attribute record header is a list of retrieval information giving a VCN to LCN mapping for the attribute. In the figure above the Index allocation attribute is a a non-resident attribute
+---------+----------------------+-------+ | File | Attrib : Retrieval | | | Record | Record : Information | ... | | Segment | Header : | | | Header | : | | +---------+----------------------+-------+
If the retrieval information does not fit in the base file segment then it can be stored in an external file record segment all by itself, and if in the still doesn't fit in one external file record segment then there is a provision in the attribute list to contain multiple entries for an attribute that needs additional retrieval information.
Author:
Brian Andrew [BrianAn] 21-May-1991 David Goebel [DavidGoe] Gary Kimura [GaryKi] Tom Miller [TomM]
Revision History:
IMPORTANT NOTE:
The NTFS on-disk structure must guarantee natural alignment of all arithmetic quantities on disk up to and including quad-word (64-bit) numbers. Therefore, all attribute records are quad-word aligned, etc.
--*/
#ifndef _NTFS_
#define _NTFS_
#pragma pack(4)
�//
// The fundamental unit of allocation on an Ntfs volume is the
// cluster. Format guarantees that the cluster size is an integral
// power of two times the physical sector size of the device. Ntfs
// reserves 64-bits to describe a cluster, in order to support
// large disks. The LCN represents a physical cluster number on
// the disk, and the VCN represents a virtual cluster number within
// an attribute.
//
typedef LONGLONG LCN;typedef LCN *PLCN;
typedef LONGLONG VCN;typedef VCN *PVCN;
typedef LONGLONG LBO;typedef LBO *PLBO;
typedef LONGLONG VBO;typedef VBO *PVBO;
//
// Current Versions
//
#define NTFS_MAJOR_VERSION 3
#define NTFS_MINOR_VERSION 1
//
// Temporary definitions ****
//
typedef ULONG COLLATION_RULE;typedef ULONG DISPLAY_RULE;
//
// The compression chunk size is constant for now, at 4KB.
//
#define NTFS_CHUNK_SIZE (0x1000)
#define NTFS_CHUNK_SHIFT (12)
//
// This number is actually the log of the number of clusters per compression
// unit to be stored in a nonresident attribute record header.
//
#define NTFS_CLUSTERS_PER_COMPRESSION (4)
//
// This is the sparse file unit. This is the unit we use for generating holes
// in sparse files.
//
#define NTFS_SPARSE_FILE_UNIT (0x10000)
//
// Collation Rules
//
//
// For binary collation, values are collated by a binary compare of
// their bytes, with the first byte being most significant.
//
#define COLLATION_BINARY (0)
//
// For collation of Ntfs file names, file names are collated as
// Unicode strings. See below.
//
#define COLLATION_FILE_NAME (1)
//
// For collation of Unicode strings, the strings are collated by
// their binary Unicode value, with the exception that for
// characters which may be upcased, the lower case value for that
// character collates immediately after the upcased value.
//
#define COLLATION_UNICODE_STRING (2)
//
// Total number of collation rules
//
#define COLLATION_NUMBER_RULES (3)
//
// Define the NtOfs Collation Rules
//
#define COLLATION_NTOFS_FIRST (16)
#define COLLATION_NTOFS_ULONG (16)
#define COLLATION_NTOFS_SID (17)
#define COLLATION_NTOFS_SECURITY_HASH (18)
#define COLLATION_NTOFS_ULONGS (19)
#define COLLATION_NTOFS_LAST (19)
//
// The following macros are used to set and query with respect to
// the update sequence arrays.
//
#define UpdateSequenceStructureSize(MSH) ( \
((((PMULTI_SECTOR_HEADER)(MSH))->UpdateSequenceArraySize-1) * \ SEQUENCE_NUMBER_STRIDE) \)
#define UpdateSequenceArraySize(STRUCT_SIZE) ( \
((STRUCT_SIZE) / SEQUENCE_NUMBER_STRIDE + 1) \)
�//
// The MFT Segment Reference is an address in the MFT tagged with
// a circularly reused sequence number set at the time that the MFT
// Segment Reference was valid. Note that this format limits the
// size of the Master File Table to 2**48 segments. So, for
// example, with a 1KB segment size the maximum size of the master
// file would be 2**58 bytes, or 2**28 gigabytes.
//
typedef struct _MFT_SEGMENT_REFERENCE {
//
// First a 48 bit segment number.
//
ULONG SegmentNumberLowPart; // offset = 0x000
USHORT SegmentNumberHighPart; // offset = 0x004
//
// Now a 16 bit nonzero sequence number. A value of 0 is
// reserved to allow the possibility of a routine accepting
// 0 as a sign that the sequence number check should be
// repressed.
//
USHORT SequenceNumber; // offset = 0x006
} MFT_SEGMENT_REFERENCE, *PMFT_SEGMENT_REFERENCE; // sizeof = 0x008
//
// A file reference in NTFS is simply the MFT Segment Reference of
// the Base file record.
//
typedef MFT_SEGMENT_REFERENCE FILE_REFERENCE, *PFILE_REFERENCE;
//
// While the format allows 48 bits worth of segment number, the current
// implementation restricts this to 32 bits. Using NtfsUnsafeSegmentNumber
// results in a performance win. When the implementation changes, the
// unsafe segment numbers must be cleaned up. NtfsFullSegmentNumber is
// used in a few spots to guarantee integrity of the disk.
//
#define NtfsSegmentNumber(fr) NtfsUnsafeSegmentNumber( fr )
#define NtfsFullSegmentNumber(fr) ( (*(ULONGLONG UNALIGNED *)(fr)) & 0xFFFFFFFFFFFF )
#define NtfsUnsafeSegmentNumber(fr) ((fr)->SegmentNumberLowPart)
#define NtfsSetSegmentNumber(fr,high,low) \
((fr)->SegmentNumberHighPart = (high), (fr)->SegmentNumberLowPart = (low))
#define NtfsEqualMftRef(X,Y) ( NtfsSegmentNumber( X ) == NtfsSegmentNumber( Y ) )
#define NtfsLtrMftRef(X,Y) ( NtfsSegmentNumber( X ) < NtfsSegmentNumber( Y ) )
#define NtfsGtrMftRef(X,Y) ( NtfsSegmentNumber( X ) > NtfsSegmentNumber( Y ) ) \
#define NtfsLeqMftRef(X,Y) ( NtfsSegmentNumber( X ) <= NtfsSegmentNumber( Y ) )
#define NtfsGeqMftRef(X,Y) ( NtfsSegmentNumber( X ) >= NtfsSegmentNumber( Y ) )
//
// System File Numbers. The following file numbers are a fixed
// part of the volume number. For the system files, the
// SequenceNumber is always equal to the File Number. So to form a
// File Reference for a given System File, set LowPart and
// SequenceNumber to the File Number, and set HighPart to 0. Any
// unused file numbers prior to FIRST_USER_FILE_NUMBER should not
// be used. They are reserved to allow the potential for easy
// upgrade of existing volumes from future versions of the file
// system.
//
// Each definition below is followed by a comment containing
// the file name for the file:
//
// Number Name
// ------ ----
#define MASTER_FILE_TABLE_NUMBER (0) // $Mft
#define MASTER_FILE_TABLE2_NUMBER (1) // $MftMirr
#define LOG_FILE_NUMBER (2) // $LogFile
#define VOLUME_DASD_NUMBER (3) // $Volume
#define ATTRIBUTE_DEF_TABLE_NUMBER (4) // $AttrDef
#define ROOT_FILE_NAME_INDEX_NUMBER (5) // .
#define BIT_MAP_FILE_NUMBER (6) // $BitMap
#define BOOT_FILE_NUMBER (7) // $Boot
#define BAD_CLUSTER_FILE_NUMBER (8) // $BadClus
#define SECURITY_FILE_NUMBER (9) // $Secure
#define UPCASE_TABLE_NUMBER (10) // $UpCase
#define EXTEND_NUMBER (11) // $Extend
#define LAST_SYSTEM_FILE_NUMBER (11)
#define FIRST_USER_FILE_NUMBER (16)
//
// The number of bits to extend the Mft and bitmap. We round these up to a
// cluster boundary for a large cluster volume
//
#define BITMAP_EXTEND_GRANULARITY (64)
#define MFT_HOLE_GRANULARITY (32)
#define MFT_EXTEND_GRANULARITY (16)
//
// The shift values for determining the threshold for the Mft defragging.
//
#define MFT_DEFRAG_UPPER_THRESHOLD (3) // Defrag if 1/8 of free space
#define MFT_DEFRAG_LOWER_THRESHOLD (4) // Stop at 1/16 of free space
�//
// Attribute Type Code. Attribute Types also have a Unicode Name,
// and the correspondence between the Unicode Name and the
// Attribute Type Code is stored in the Attribute Definition File.
//
typedef ULONG ATTRIBUTE_TYPE_CODE;typedef ATTRIBUTE_TYPE_CODE *PATTRIBUTE_TYPE_CODE;
//
// System-defined Attribute Type Codes. For the System-defined
// attributes, the Unicode Name is exactly equal to the name of the
// following symbols. For this reason, all of the system-defined
// attribute names start with "$", to always distinguish them when
// attribute names are listed, and to reserve a namespace for
// attributes defined in the future. I.e., a User-Defined
// attribute name will never collide with a current or future
// system-defined attribute name if it does not start with "$".
// User attribute numbers should not start until
// $FIRST_USER_DEFINED_ATTRIBUTE, to allow the potential for
// upgrading existing volumes with new user-defined attributes in
// future versions of NTFS. The tagged attribute list is
// terminated with a lone-standing 0 ($END) - the rest of the
// attribute record does not exist.
//
// The type code value of 0 is reserved for convenience of the
// implementation.
//
#define $UNUSED (0X0)
#define $STANDARD_INFORMATION (0x10)
#define $ATTRIBUTE_LIST (0x20)
#define $FILE_NAME (0x30)
#define $OBJECT_ID (0x40)
#define $SECURITY_DESCRIPTOR (0x50)
#define $VOLUME_NAME (0x60)
#define $VOLUME_INFORMATION (0x70)
#define $DATA (0x80)
#define $INDEX_ROOT (0x90)
#define $INDEX_ALLOCATION (0xA0)
#define $BITMAP (0xB0)
#define $REPARSE_POINT (0xC0)
#define $EA_INFORMATION (0xD0)
#define $EA (0xE0)
// #define $LOGGED_UTILITY_STREAM (0x100) // defined in ntfsexp.h
#define $FIRST_USER_DEFINED_ATTRIBUTE (0x1000)
#define $END (0xFFFFFFFF)
�//
// The boot sector is duplicated on the partition. The first copy
// is on the first physical sector (LBN == 0) of the partition, and
// the second copy is at <number sectors on partition> / 2. If the
// first copy can not be read when trying to mount the disk, the
// second copy may be read and has the identical contents. Format
// must figure out which cluster the second boot record belongs in,
// and it must zero all of the other sectors that happen to be in
// the same cluster. The boot file minimally contains with two
// clusters, which are the two clusters which contain the copies of
// the boot record. If format knows that some system likes to put
// code somewhere, then it should also align this requirement to
// even clusters, and add that to the boot file as well.
//
// Part of the sector contains a BIOS Parameter Block. The BIOS in
// the sector is packed (i.e., unaligned) so we'll supply an
// unpacking macro to translate a packed BIOS into its unpacked
// equivalent. The unpacked BIOS structure is already defined in
// ntioapi.h so we only need to define the packed BIOS.
//
//
// Define the Packed and Unpacked BIOS Parameter Block
//
typedef struct _PACKED_BIOS_PARAMETER_BLOCK {
UCHAR BytesPerSector[2]; // offset = 0x000
UCHAR SectorsPerCluster[1]; // offset = 0x002
UCHAR ReservedSectors[2]; // offset = 0x003 (zero)
UCHAR Fats[1]; // offset = 0x005 (zero)
UCHAR RootEntries[2]; // offset = 0x006 (zero)
UCHAR Sectors[2]; // offset = 0x008 (zero)
UCHAR Media[1]; // offset = 0x00A
UCHAR SectorsPerFat[2]; // offset = 0x00B (zero)
UCHAR SectorsPerTrack[2]; // offset = 0x00D
UCHAR Heads[2]; // offset = 0x00F
UCHAR HiddenSectors[4]; // offset = 0x011 (zero)
UCHAR LargeSectors[4]; // offset = 0x015 (zero)
} PACKED_BIOS_PARAMETER_BLOCK; // sizeof = 0x019
typedef PACKED_BIOS_PARAMETER_BLOCK *PPACKED_BIOS_PARAMETER_BLOCK;
typedef struct BIOS_PARAMETER_BLOCK {
USHORT BytesPerSector; UCHAR SectorsPerCluster; USHORT ReservedSectors; UCHAR Fats; USHORT RootEntries; USHORT Sectors; UCHAR Media; USHORT SectorsPerFat; USHORT SectorsPerTrack; USHORT Heads; ULONG HiddenSectors; ULONG LargeSectors;
} BIOS_PARAMETER_BLOCK;
typedef BIOS_PARAMETER_BLOCK *PBIOS_PARAMETER_BLOCK;
//
// This macro takes a Packed BIOS and fills in its Unpacked
// equivalent
//
#define NtfsUnpackBios(Bios,Pbios) { \
CopyUchar2(&((Bios)->BytesPerSector), &(Pbios)->BytesPerSector ); \ CopyUchar1(&((Bios)->SectorsPerCluster), &(Pbios)->SectorsPerCluster); \ CopyUchar2(&((Bios)->ReservedSectors), &(Pbios)->ReservedSectors ); \ CopyUchar1(&((Bios)->Fats), &(Pbios)->Fats ); \ CopyUchar2(&((Bios)->RootEntries), &(Pbios)->RootEntries ); \ CopyUchar2(&((Bios)->Sectors), &(Pbios)->Sectors ); \ CopyUchar1(&((Bios)->Media), &(Pbios)->Media ); \ CopyUchar2(&((Bios)->SectorsPerFat), &(Pbios)->SectorsPerFat ); \ CopyUchar2(&((Bios)->SectorsPerTrack), &(Pbios)->SectorsPerTrack ); \ CopyUchar2(&((Bios)->Heads), &(Pbios)->Heads ); \ CopyUchar4(&((Bios)->HiddenSectors), &(Pbios)->HiddenSectors ); \ CopyUchar4(&((Bios)->LargeSectors), &(Pbios)->LargeSectors ); \}
//
// Define the boot sector. Note that MFT2 is exactly three file
// record segments long, and it mirrors the first three file record
// segments from the MFT, which are MFT, MFT2 and the Log File.
//
// The Oem field contains the ASCII characters "NTFS ".
//
// The Checksum field is a simple additive checksum of all of the
// ULONGs which precede the Checksum ULONG. The rest of the sector
// is not included in this Checksum.
//
typedef struct _PACKED_BOOT_SECTOR {
UCHAR Jump[3]; // offset = 0x000
UCHAR Oem[8]; // offset = 0x003
PACKED_BIOS_PARAMETER_BLOCK PackedBpb; // offset = 0x00B
UCHAR Unused[4]; // offset = 0x024
LONGLONG NumberSectors; // offset = 0x028
LCN MftStartLcn; // offset = 0x030
LCN Mft2StartLcn; // offset = 0x038
CHAR ClustersPerFileRecordSegment; // offset = 0x040
UCHAR Reserved0[3]; CHAR DefaultClustersPerIndexAllocationBuffer; // offset = 0x044
UCHAR Reserved1[3]; LONGLONG SerialNumber; // offset = 0x048
ULONG Checksum; // offset = 0x050
UCHAR BootStrap[0x200-0x054]; // offset = 0x054
} PACKED_BOOT_SECTOR; // sizeof = 0x200
typedef PACKED_BOOT_SECTOR *PPACKED_BOOT_SECTOR;
�//
// File Record Segment. This is the header that begins every File
// Record Segment in the Master File Table.
//
typedef struct _FILE_RECORD_SEGMENT_HEADER {
//
// Multi-Sector Header as defined by the Cache Manager. This
// structure will always contain the signature "FILE" and a
// description of the location and size of the Update Sequence
// Array.
//
MULTI_SECTOR_HEADER MultiSectorHeader; // offset = 0x000
//
// Log File Sequence Number of last logged update to this File
// Record Segment.
//
LSN Lsn; // offset = 0x008
//
// Sequence Number. This is incremented each time that a File
// Record segment is freed, and 0 is not used. The
// SequenceNumber field of a File Reference must match the
// contents of this field, or else the File Reference is
// incorrect (presumably stale).
//
USHORT SequenceNumber; // offset = 0x010
//
// This is the count of the number of references which exist
// for this segment, from an INDEX_xxx attribute. In File
// Records Segments other than the Base File Record Segment,
// this field is 0.
//
USHORT ReferenceCount; // offset = 0x012
//
// Offset to the first Attribute record in bytes.
//
USHORT FirstAttributeOffset; // offset = 0x014
//
// FILE_xxx flags.
//
USHORT Flags; // offset = 0x016
//
// First free byte available for attribute storage, from start
// of this header. This value should always be aligned to a
// quad-word boundary, since attributes are quad-word aligned.
//
ULONG FirstFreeByte; // offset = x0018
//
// Total bytes available in this file record segment, from the
// start of this header. This is essentially the file record
// segment size.
//
ULONG BytesAvailable; // offset = 0x01C
//
// This is a File Reference to the Base file record segment for
// this file. If this is the Base, then the value of this
// field is all 0's.
//
FILE_REFERENCE BaseFileRecordSegment; // offset = 0x020
//
// This is the attribute instance number to be used when
// creating an attribute. It is zeroed when the base file
// record is created, and captured for each new attribute as it
// is created and incremented afterwards for the next
// attribute. Instance numbering must also occur for the
// initial attributes. Zero is a valid attribute instance
// number, and typically used for standard information.
//
USHORT NextAttributeInstance; // offset = 0x028
//
// Current FRS record - this is here for recovery alone and added in 5.1
// Note: this is not aligned
//
USHORT SegmentNumberHighPart; // offset = 0x02A
ULONG SegmentNumberLowPart; // offset = 0x02C
//
// Update Sequence Array to protect multi-sector transfers of
// the File Record Segment. Accesses to already initialized
// File Record Segments should go through the offset above, for
// upwards compatibility.
//
UPDATE_SEQUENCE_ARRAY UpdateArrayForCreateOnly; // offset = 0x030
} FILE_RECORD_SEGMENT_HEADER;typedef FILE_RECORD_SEGMENT_HEADER *PFILE_RECORD_SEGMENT_HEADER;
//
// earlier version of FRS from 5.0
//
typedef struct _FILE_RECORD_SEGMENT_HEADER_V0 {
//
// Multi-Sector Header as defined by the Cache Manager. This
// structure will always contain the signature "FILE" and a
// description of the location and size of the Update Sequence
// Array.
//
MULTI_SECTOR_HEADER MultiSectorHeader; // offset = 0x000
//
// Log File Sequence Number of last logged update to this File
// Record Segment.
//
LSN Lsn; // offset = 0x008
//
// Sequence Number. This is incremented each time that a File
// Record segment is freed, and 0 is not used. The
// SequenceNumber field of a File Reference must match the
// contents of this field, or else the File Reference is
// incorrect (presumably stale).
//
USHORT SequenceNumber; // offset = 0x010
//
// This is the count of the number of references which exist
// for this segment, from an INDEX_xxx attribute. In File
// Records Segments other than the Base File Record Segment,
// this field is 0.
//
USHORT ReferenceCount; // offset = 0x012
//
// Offset to the first Attribute record in bytes.
//
USHORT FirstAttributeOffset; // offset = 0x014
//
// FILE_xxx flags.
//
USHORT Flags; // offset = 0x016
//
// First free byte available for attribute storage, from start
// of this header. This value should always be aligned to a
// quad-word boundary, since attributes are quad-word aligned.
//
ULONG FirstFreeByte; // offset = x0018
//
// Total bytes available in this file record segment, from the
// start of this header. This is essentially the file record
// segment size.
//
ULONG BytesAvailable; // offset = 0x01C
//
// This is a File Reference to the Base file record segment for
// this file. If this is the Base, then the value of this
// field is all 0's.
//
FILE_REFERENCE BaseFileRecordSegment; // offset = 0x020
//
// This is the attribute instance number to be used when
// creating an attribute. It is zeroed when the base file
// record is created, and captured for each new attribute as it
// is created and incremented afterwards for the next
// attribute. Instance numbering must also occur for the
// initial attributes. Zero is a valid attribute instance
// number, and typically used for standard information.
//
USHORT NextAttributeInstance; // offset = 0x028
//
// Update Sequence Array to protect multi-sector transfers of
// the File Record Segment. Accesses to already initialized
// File Record Segments should go through the offset above, for
// upwards compatibility.
//
UPDATE_SEQUENCE_ARRAY UpdateArrayForCreateOnly; // offset = 0x02A
} FILE_RECORD_SEGMENT_HEADER_V0;
//
// FILE_xxx flags.
//
#define FILE_RECORD_SEGMENT_IN_USE (0x0001)
#define FILE_FILE_NAME_INDEX_PRESENT (0x0002)
#define FILE_SYSTEM_FILE (0x0004)
#define FILE_VIEW_INDEX_PRESENT (0x0008)
//
// Define a macro to determine the maximum space available for a
// single attribute. For example, this is required when a
// nonresident attribute has to split into multiple file records -
// we need to know how much we can squeeze into a single file
// record. If this macro has any inaccurracy, it must be in the
// direction of returning a slightly smaller number than actually
// required.
//
// ULONG
// NtfsMaximumAttributeSize (
// IN ULONG FileRecordSegmentSize
// );
//
#define NtfsMaximumAttributeSize(FRSS) ( \
(FRSS) - QuadAlign(sizeof(FILE_RECORD_SEGMENT_HEADER)) - \ QuadAlign((((FRSS) / SEQUENCE_NUMBER_STRIDE) * sizeof(UPDATE_SEQUENCE_NUMBER))) - \ QuadAlign(sizeof(ATTRIBUTE_TYPE_CODE)) \)
�//
// Attribute Record. Logically an attribute has a type, an
// optional name, and a value, however the storage details make it
// a little more complicated. For starters, an attribute's value
// may either be resident in the file record segment itself, on
// nonresident in a separate data stream. If it is nonresident, it
// may actually exist multiple times in multiple file record
// segments to describe different ranges of VCNs.
//
// Attribute Records are always aligned on a quad word (64-bit)
// boundary.
//
typedef struct _ATTRIBUTE_RECORD_HEADER {
//
// Attribute Type Code.
//
ATTRIBUTE_TYPE_CODE TypeCode; // offset = 0x000
//
// Length of this Attribute Record in bytes. The length is
// always rounded to a quad word boundary, if necessary. Also
// the length only reflects the size necessary to store the
// given record variant.
//
ULONG RecordLength; // offset = 0x004
//
// Attribute Form Code (see below)
//
UCHAR FormCode; // offset = 0x008
//
// Length of the optional attribute name in characters, or 0 if
// there is none.
//
UCHAR NameLength; // offset = 0x009
//
// Offset to the attribute name from start of attribute record,
// in bytes, if it exists. This field is undefined if
// NameLength is 0.
//
USHORT NameOffset; // offset = 0x00A
//
// ATTRIBUTE_xxx flags.
//
USHORT Flags; // offset = 0x00C
//
// The file-record-unique attribute instance number for this
// attribute.
//
USHORT Instance; // offset = 0x00E
//
// The following union handles the cases distinguished by the
// Form Code.
//
union {
//
// Resident Form. Attribute resides in file record segment.
//
struct {
//
// Length of attribute value in bytes.
//
ULONG ValueLength; // offset = 0x010
//
// Offset to value from start of attribute record, in
// bytes.
//
USHORT ValueOffset; // offset = 0x014
//
// RESIDENT_FORM_xxx Flags.
//
UCHAR ResidentFlags; // offset = 0x016
//
// Reserved.
//
UCHAR Reserved; // offset = 0x017
} Resident;
//
// Nonresident Form. Attribute resides in separate stream.
//
struct {
//
// Lowest VCN covered by this attribute record.
//
VCN LowestVcn; // offset = 0x010
//
// Highest VCN covered by this attribute record.
//
VCN HighestVcn; // offset = 0x018
//
// Offset to the Mapping Pairs Array (defined below),
// in bytes, from the start of the attribute record.
//
USHORT MappingPairsOffset; // offset = 0x020
//
// Unit of Compression size for this stream, expressed
// as a log of the cluster size.
//
// 0 means file is not compressed
// 1, 2, 3, and 4 are potentially legal values if the
// stream is compressed, however the implementation
// may only choose to use 4, or possibly 3. Note
// that 4 means cluster size time 16. If convenient
// the implementation may wish to accept a
// reasonable range of legal values here (1-5?),
// even if the implementation only generates
// a smaller set of values itself.
//
UCHAR CompressionUnit; // offset = 0x022
//
// Reserved to get to quad word boundary.
//
UCHAR Reserved[5]; // offset = 0x023
//
// Allocated Length of the file in bytes. This is
// obviously an even multiple of the cluster size.
// (Not present if LowestVcn != 0.)
//
LONGLONG AllocatedLength; // offset = 0x028
//
// File Size in bytes (highest byte which may be read +
// 1). (Not present if LowestVcn != 0.)
//
LONGLONG FileSize; // offset = 0x030
//
// Valid Data Length (highest initialized byte + 1).
// This field must also be rounded to a cluster
// boundary, and the data must always be initialized to
// a cluster boundary. (Not present if LowestVcn != 0.)
//
LONGLONG ValidDataLength; // offset = 0x038
//
// Totally allocated. This field is only present for the first
// file record of a compressed stream. It represents the sum of
// the allocated clusters for a file.
//
LONGLONG TotalAllocated; // offset = 0x040
//
//
// Mapping Pairs Array, starting at the offset stored
// above.
//
// The Mapping Pairs Array is stored in a compressed
// form, and assumes that this information is
// decompressed and cached by the system. The reason
// for compressing this information is clear, it is
// done in the hopes that all of the retrieval
// information always fits in a single file record
// segment.
//
// Logically, the MappingPairs Array stores a series of
// NextVcn/CurrentLcn pairs. So, for example, given
// that we know the first Vcn (from LowestVcn above),
// the first Mapping Pair tells us what the next Vcn is
// (for the next Mapping Pair), and what Lcn the
// current Vcn is mapped to, or 0 if the Current Vcn is
// not allocated. (This is exactly the FsRtl MCB
// structure).
//
// For example, if a file has a single run of 8
// clusters, starting at Lcn 128, and the file starts
// at LowestVcn=0, then the Mapping Pairs array has
// just one entry, which is:
//
// NextVcn = 8
// CurrentLcn = 128
//
// The compression is implemented with the following
// algorithm. Assume that you initialize two "working"
// variables as follows:
//
// NextVcn = LowestVcn (from above)
// CurrentLcn = 0
//
// The MappingPairs array is byte stream, which simply
// store the changes to the working variables above,
// when processed sequentially. The byte stream is to
// be interpreted as a zero-terminated stream of
// triples, as follows:
//
// count byte = v + (l * 16)
//
// where v = number of changed low-order Vcn bytes
// l = number of changed low-order Lcn bytes
//
// v Vcn change bytes
// l Lcn change bytes
//
// The byte stream terminates when a count byte of 0 is
// encountered.
//
// The decompression algorithm goes as follows,
// assuming that Attribute is a pointer to the
// attribute record.
//
// 1. Initialize:
// NextVcn = Attribute->LowestVcn;
// CurrentLcn = 0;
//
// 2. Initialize byte stream pointer to: (PCHAR)Attribute +
// Attribute->AttributeForm->Nonresident->MappingPairsOffset
//
// 3. CurrentVcn = NextVcn;
//
// 4. Read next byte from stream. If it is 0, then
// break, else extract v and l (see above).
//
// 5. Interpret the next v bytes as a signed quantity,
// with the low-order byte coming first. Unpack it
// sign-extended into 64 bits and add it to NextVcn.
// (It can really only be positive, but the Lcn
// change can be positive or negative.)
//
// 6. Interpret the next l bytes as a signed quantity,
// with the low-order byte coming first. Unpack it
// sign-extended into 64 bits and add it to
// CurrentLcn. Remember, if this produces a
// CurrentLcn of 0, then the Vcns from the
// CurrentVcn to NextVcn-1 are unallocated.
//
// 7. Update cached mapping information from
// CurrentVcn, NextVcn and CurrentLcn.
//
// 8. Loop back to 3.
//
// The compression algorithm should now be obvious, as
// it is the reverse of the above. The compression and
// decompression algorithms will be available as common
// RTL routines, available to NTFS and file utilities.
//
// In defense of this algorithm, not only does it
// provide compression of the on-disk storage
// requirements, but it results in a single
// representation, independent of disk size and file
// size. Contrast this with solutions which are in use
// which define multiple sizes for virtual and logical
// cluster sizes, depending on the size of the disk,
// etc. For example, two byte cluster numbers might
// suffice for a floppy, while four bytes would be
// required for most hard disks today, and five or six
// bytes are required after a certain number of
// gigabytes, etc. This eventually results in more
// complex code than above (because of the cases) and
// worse yet - untested cases. So, more important than
// the compression, the above algorithm provides one
// case which efficiently handles any size disk.
//
} Nonresident;
} Form;
} ATTRIBUTE_RECORD_HEADER;typedef ATTRIBUTE_RECORD_HEADER *PATTRIBUTE_RECORD_HEADER;
//
// Attribute Form Codes
//
#define RESIDENT_FORM (0x00)
#define NONRESIDENT_FORM (0x01)
//
// Define Attribute Flags
//
//
// The first range of flag bits is reserved for
// storing the compression method. This constant
// defines the mask of the bits reserved for
// compression method. It is also the first
// illegal value, since we increment it to calculate
// the code to pass to the Rtl routines. Thus it is
// impossible for us to store COMPRESSION_FORMAT_DEFAULT.
//
#define ATTRIBUTE_FLAG_COMPRESSION_MASK (0x00FF)
#define ATTRIBUTE_FLAG_SPARSE (0x8000)
#define ATTRIBUTE_FLAG_ENCRYPTED (0x4000)
//
// RESIDENT_FORM_xxx flags
//
//
// This attribute is indexed.
//
#define RESIDENT_FORM_INDEXED (0x01)
//
// The maximum attribute name length is 255 (in chars)
//
#define NTFS_MAX_ATTR_NAME_LEN (255)
//
// Define macros for the size of resident and nonresident headers.
//
#define SIZEOF_RESIDENT_ATTRIBUTE_HEADER ( \
FIELD_OFFSET(ATTRIBUTE_RECORD_HEADER,Form.Resident.Reserved)+1 \)
#define SIZEOF_FULL_NONRES_ATTR_HEADER ( \
sizeof(ATTRIBUTE_RECORD_HEADER) \)
#define SIZEOF_PARTIAL_NONRES_ATTR_HEADER ( \
FIELD_OFFSET(ATTRIBUTE_RECORD_HEADER,Form.Nonresident.TotalAllocated) \)
�//
// Standard Information Attribute. This attribute is present in
// every base file record, and must be resident.
//
typedef struct _STANDARD_INFORMATION {
//
// File creation time.
//
LONGLONG CreationTime; // offset = 0x000
//
// Last time the DATA attribute was modified.
//
LONGLONG LastModificationTime; // offset = 0x008
//
// Last time any attribute was modified.
//
LONGLONG LastChangeTime; // offset = 0x010
//
// Last time the file was accessed. This field may not always
// be updated (write-protected media), and even when it is
// updated, it may only be updated if the time would change by
// a certain delta. It is meant to tell someone approximately
// when the file was last accessed, for purposes of possible
// file migration.
//
LONGLONG LastAccessTime; // offset = 0x018
//
// File attributes. The first byte is the standard "Fat"
// flags for this file.
//
ULONG FileAttributes; // offset = 0x020
//
// Maximum file versions allowed for this file. If this field
// is 0, then versioning is not enabled for this file. If
// there are multiple files with the same version, then the
// value of Maximum file versions in the file with the highest
// version is the correct one.
//
ULONG MaximumVersions; // offset = 0x024
//
// Version number for this file.
//
ULONG VersionNumber; // offset = 0x028
//
// Class Id from the bidirectional Class Id index
//
ULONG ClassId; // offset = 0x02c
//
// Id for file owner, from bidir security index
//
ULONG OwnerId; // offset = 0x030
//
// SecurityId for the file - translates via bidir index to
// granted access Acl.
//
ULONG SecurityId; // offset = 0x034
//
// Current amount of quota that has been charged for all the
// streams of this file. Changed in same transaction with the
// quota file itself.
//
ULONGLONG QuotaCharged; // offset = 0x038
//
// Update sequence number for this file.
//
ULONGLONG Usn; // offset = 0x040
} STANDARD_INFORMATION; // sizeof = 0x048
typedef STANDARD_INFORMATION *PSTANDARD_INFORMATION;
//
// Large Standard Information Attribute. We use this to find the
// security ID field.
//
typedef struct LARGE_STANDARD_INFORMATION {
//
// File creation time.
//
LONGLONG CreationTime; // offset = 0x000
//
// Last time the DATA attribute was modified.
//
LONGLONG LastModificationTime; // offset = 0x008
//
// Last time any attribute was modified.
//
LONGLONG LastChangeTime; // offset = 0x010
//
// Last time the file was accessed. This field may not always
// be updated (write-protected media), and even when it is
// updated, it may only be updated if the time would change by
// a certain delta. It is meant to tell someone approximately
// when the file was last accessed, for purposes of possible
// file migration.
//
LONGLONG LastAccessTime; // offset = 0x018
//
// File attributes. The first byte is the standard "Fat"
// flags for this file.
//
ULONG FileAttributes; // offset = 0x020
//
// Maximum file versions allowed for this file. If this field
// is 0, then versioning is not enabled for this file. If
// there are multiple files with the same version, then the
// value of Maximum file versions in the file with the highest
// version is the correct one.
//
ULONG MaximumVersions; // offset = 0x024
//
// Version number for this file.
//
ULONG VersionNumber; // offset = 0x028
ULONG UnusedUlong;
//
// Id for file owner, from bidir security index
//
ULONG OwnerId; // offset = 0x030
//
// SecurityId for the file - translates via bidir index to
// granted access Acl.
//
ULONG SecurityId; // offset = 0x034
} LARGE_STANDARD_INFORMATION;typedef LARGE_STANDARD_INFORMATION *PLARGE_STANDARD_INFORMATION;
//
// This was the size of standard information prior to NT4.0
//
#define SIZEOF_OLD_STANDARD_INFORMATION (0x30)
//
// Define the file attributes, starting with the Fat attributes.
//
#define FAT_DIRENT_ATTR_READ_ONLY (0x01)
#define FAT_DIRENT_ATTR_HIDDEN (0x02)
#define FAT_DIRENT_ATTR_SYSTEM (0x04)
#define FAT_DIRENT_ATTR_VOLUME_ID (0x08)
#define FAT_DIRENT_ATTR_ARCHIVE (0x20)
#define FAT_DIRENT_ATTR_DEVICE (0x40)
�//
// Attribute List. Because there is not a special header that goes
// before the list of attribute list entries we do not need to
// declare an attribute list header
//
//
// The Attributes List attribute is an ordered-list of quad-word
// aligned ATTRIBUTE_LIST_ENTRY records. It is ordered first by
// Attribute Type Code, and then by Attribute Name (if present).
// No two attributes may exist with the same type code, name and
// LowestVcn. This also means that at most one occurrence of a
// given Attribute Type Code without a name may exist.
//
// To binary search this attribute, it is first necessary to make a
// quick pass through it and form a list of pointers, since the
// optional name makes it variable-length.
//
typedef struct _ATTRIBUTE_LIST_ENTRY {
//
// Attribute Type Code, the first key on which this list is
// ordered.
//
ATTRIBUTE_TYPE_CODE AttributeTypeCode; // offset = 0x000
//
// Size of this record in bytes, including the optional name
// appended to this structure.
//
USHORT RecordLength; // offset = 0x004
//
// Length of attribute name, if there is one. If a name exists
// (AttributeNameLength != 0), then it is a Unicode string of
// the specified number of characters immediately following
// this record. This is the second key on which this list is
// ordered.
//
UCHAR AttributeNameLength; // offset = 0x006
//
// Reserved to get to quad-word boundary
//
UCHAR AttributeNameOffset; // offset = 0x007
//
// Lowest Vcn for this attribute. This field is always zero
// unless the attribute requires multiple file record segments
// to describe all of its runs, and this is a reference to a
// segment other than the first one. The field says what the
// lowest Vcn is that is described by the referenced segment.
//
VCN LowestVcn; // offset = 0x008
//
// Reference to the MFT segment in which the attribute resides.
//
MFT_SEGMENT_REFERENCE SegmentReference; // offset = 0x010
//
// The file-record-unique attribute instance number for this
// attribute.
//
USHORT Instance; // offset = 0x018
//
// When creating an attribute list entry, start the name here.
// (When reading one, use the AttributeNameOffset field.)
//
WCHAR AttributeName[1]; // offset = 0x01A
} ATTRIBUTE_LIST_ENTRY;typedef ATTRIBUTE_LIST_ENTRY *PATTRIBUTE_LIST_ENTRY;
�typedef struct _DUPLICATED_INFORMATION {
//
// File creation time.
//
LONGLONG CreationTime; // offset = 0x000
//
// Last time the DATA attribute was modified.
//
LONGLONG LastModificationTime; // offset = 0x008
//
// Last time any attribute was modified.
//
LONGLONG LastChangeTime; // offset = 0x010
//
// Last time the file was accessed. This field may not always
// be updated (write-protected media), and even when it is
// updated, it may only be updated if the time would change by
// a certain delta. It is meant to tell someone approximately
// when the file was last accessed, for purposes of possible
// file migration.
//
LONGLONG LastAccessTime; // offset = 0x018
//
// Allocated Length of the file in bytes. This is obviously
// an even multiple of the cluster size. (Not present if
// LowestVcn != 0.)
//
LONGLONG AllocatedLength; // offset = 0x020
//
// File Size in bytes (highest byte which may be read + 1).
// (Not present if LowestVcn != 0.)
//
LONGLONG FileSize; // offset = 0x028
//
// File attributes. The first byte is the standard "Fat"
// flags for this file.
//
ULONG FileAttributes; // offset = 0x030
//
// This union enables the retrieval of the tag in reparse
// points when there are no Ea's.
//
union {
struct {
//
// The size of buffer needed to pack these Ea's
//
USHORT PackedEaSize; // offset = 0x034
//
// Reserved for quad word alignment
//
USHORT Reserved; // offset = 0x036
};
//
// The tag of the data in a reparse point. It represents
// the type of a reparse point. It enables different layered
// filters to operate on their own reparse points.
//
ULONG ReparsePointTag; // offset = 0x034
};
} DUPLICATED_INFORMATION; // sizeof = 0x038
typedef DUPLICATED_INFORMATION *PDUPLICATED_INFORMATION;
//
// This bit is duplicated from the file record, to indicate that
// this file has a file name index present (is a "directory").
//
#define DUP_FILE_NAME_INDEX_PRESENT (0x10000000)
//
// This bit is duplicated from the file record, to indicate that
// this file has a view index present, such as the quota or
// object id index.
//
#define DUP_VIEW_INDEX_PRESENT (0x20000000)
//
// The following macros examine fields of the duplicated structure.
//
#define IsDirectory( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ DUP_FILE_NAME_INDEX_PRESENT ))
#define IsViewIndex( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ DUP_VIEW_INDEX_PRESENT ))
#define IsReadOnly( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_READONLY ))
#define IsHidden( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_HIDDEN ))
#define IsSystem( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_SYSTEM ))
#define IsEncrypted( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_ENCRYPTED ))
#define IsCompressed( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_COMPRESSED ))
#define BooleanIsDirectory( DUPLICATE ) \
(BooleanFlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ DUP_FILE_NAME_INDEX_PRESENT ))
#define BooleanIsReadOnly( DUPLICATE ) \
(BooleanFlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_READONLY ))
#define BooleanIsHidden( DUPLICATE ) \
(BooleanFlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_HIDDEN ))
#define BooleanIsSystem( DUPLICATE ) \
(BooleanFlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_SYSTEM ))
#define HasReparsePoint( DUPLICATE ) \
(FlagOn( ((PDUPLICATED_INFORMATION) (DUPLICATE))->FileAttributes, \ FILE_ATTRIBUTE_REPARSE_POINT ))
�//
// File Name attribute. A file has one File Name attribute for
// every directory it is entered into (hard links).
//
typedef struct _FILE_NAME {
//
// This is a File Reference to the directory file which indexes
// to this name.
//
FILE_REFERENCE ParentDirectory; // offset = 0x000
//
// Information for faster directory operations.
//
DUPLICATED_INFORMATION Info; // offset = 0x008
//
// Length of the name to follow, in (Unicode) characters.
//
UCHAR FileNameLength; // offset = 0x040
//
// FILE_NAME_xxx flags
//
UCHAR Flags; // offset = 0x041
//
// First character of Unicode File Name
//
WCHAR FileName[1]; // offset = 0x042
} FILE_NAME;typedef FILE_NAME *PFILE_NAME;
//
// File Name flags
//
#define FILE_NAME_NTFS (0x01)
#define FILE_NAME_DOS (0x02)
//
// The maximum file name length is 255 (in chars)
//
#define NTFS_MAX_FILE_NAME_LENGTH (255)
//
// The maximum number of links on a file is 1024
//
#define NTFS_MAX_LINK_COUNT (1024)
//
// This flag is not part of the disk structure, but is defined here
// to explain its use and avoid possible future collisions. For
// enumerations of "directories" this bit may be set to convey to
// the collating routine that it should not match file names that
// only have the FILE_NAME_DOS bit set.
//
#define FILE_NAME_IGNORE_DOS_ONLY (0x80)
#define NtfsFileNameSizeFromLength(LEN) ( \
(sizeof( FILE_NAME ) + LEN - sizeof( WCHAR )) \)
#define NtfsFileNameSize(PFN) ( \
(sizeof( FILE_NAME ) + ((PFN)->FileNameLength - 1) * sizeof( WCHAR )) \)
�//
// Object id attribute.
//
//
// On disk representation of an object id.
//
#define OBJECT_ID_KEY_LENGTH 16
#define OBJECT_ID_EXT_INFO_LENGTH 48
typedef struct _NTFS_OBJECTID_INFORMATION {
//
// Data the filesystem needs to identify the file with this object id.
//
FILE_REFERENCE FileSystemReference;
//
// This portion of the object id is not indexed, it's just
// some metadata for the user's benefit.
//
UCHAR ExtendedInfo[OBJECT_ID_EXT_INFO_LENGTH];
} NTFS_OBJECTID_INFORMATION, *PNTFS_OBJECTID_INFORMATION;
#define OBJECT_ID_FLAG_CORRUPT (0x00000001)
�//
// Security Descriptor attribute. This is just a normal attribute
// stream containing a security descriptor as defined by NT
// security and is really treated pretty opaque by NTFS.
//
//
// Security descriptors are stored only once on a volume since there may be
// many files that share the same descriptor bits. Typically each principal
// will create files with a single descriptor.
//
// The descriptors themselves are stored in a stream, packed on double quad word
// boundaries. No descriptor will span a 256K cache boundary. The descriptors are
// assigned a ULONG Id each time a unique descriptor is stored. Prefixing each
// descriptor in the stream is the hash of the descriptor, the assigned security
// ID, the length, and the offset within the stream to the beginning of the structure.
//
// For robustness, all security descriptors are written to the stream in two
// different places, with a fixed offset between them. The fixed offset is the
// size of the VACB_MAPPING_GRANULARITY.
//
// An index is used to map from a security Id to offset within the stream. This
// is used to retrieve the security descriptor bits for access validation. The key
// format is simply the ULONG security Id. The data portion of the index record
// is the header of the security descriptor in the stream (see above paragraph).
//
// Another index is used to map from a hash to offset within the stream. To
// simplify the job of the indexing package, the key used in this index is the
// hash followed by the assigned Id. When a security descriptor is stored,
// a hash is computed and an approximate seek is made on this index. As entries
// are enumerated in the index, the descriptor stream is mapped and the security
// descriptor bits are compared. The key format is a structure that contains
// the hash and then the Id. The collation routine tests the hash before the Id.
// The data portion of the index record is the header of the security descriptor.
//
//
// Key structure for Security Hash index
//
typedef struct _SECURITY_HASH_KEY{ ULONG Hash; // Hash value for descriptor
ULONG SecurityId; // Security Id (guaranteed unique)
} SECURITY_HASH_KEY, *PSECURITY_HASH_KEY;
//
// Key structure for Security Id index is simply the SECURITY_ID itself
//
//
// Header for security descriptors in the security descriptor stream. This
// is the data format for all indexes and is part of SharedSecurity
//
typedef struct _SECURITY_DESCRIPTOR_HEADER{ SECURITY_HASH_KEY HashKey; // Hash value for the descriptor
ULONGLONG Offset; // offset to beginning of header
ULONG Length; // Length in bytes
} SECURITY_DESCRIPTOR_HEADER, *PSECURITY_DESCRIPTOR_HEADER;
#define GETSECURITYDESCRIPTORLENGTH(HEADER) \
((HEADER)->Length - sizeof( SECURITY_DESCRIPTOR_HEADER ))
#define SetSecurityDescriptorLength(HEADER,LENGTH) \
((HEADER)->Length = (LENGTH) + sizeof( SECURITY_DESCRIPTOR_HEADER ))
//
// Define standard values for well-known security IDs
//
#define SECURITY_ID_INVALID (0x00000000)
#define SECURITY_ID_FIRST (0x00000100)
�//
// Volume Name attribute. This attribute is just a normal
// attribute stream containing the unicode characters that make up
// the volume label. It is an attribute of the Mft File.
//
�//
// Volume Information attribute. This attribute is only intended
// to be used on the Volume DASD file.
//
typedef struct _VOLUME_INFORMATION {
LONGLONG Reserved;
//
// Major and minor version number of NTFS on this volume,
// starting with 1.0. The major and minor version numbers are
// set from the major and minor version of the Format and NTFS
// implementation for which they are initialized. The policy
// for incementing major and minor versions will always be
// decided on a case by case basis, however, the following two
// paragraphs attempt to suggest an approximate strategy.
//
// The major version number is incremented if/when a volume
// format change is made which requires major structure changes
// (hopefully never?). If an implementation of NTFS sees a
// volume with a higher major version number, it should refuse
// to mount the volume. If a newer implementation of NTFS sees
// an older major version number, it knows the volume cannot be
// accessed without performing a one-time conversion.
//
// The minor version number is incremented if/when minor
// enhancements are made to a major version, which potentially
// support enhanced functionality through additional file or
// attribute record fields, or new system-defined files or
// attributes. If an older implementation of NTFS sees a newer
// minor version number on a volume, it may issue some kind of
// warning, but it will proceed to access the volume - with
// presumably some degradation in functionality compared to the
// version of NTFS which initialized the volume. If a newer
// implementation of NTFS sees a volume with an older minor
// version number, it may issue a warning and proceed. In this
// case, it may choose to increment the minor version number on
// the volume and begin full or incremental upgrade of the
// volume on an as-needed basis. It may also leave the minor
// version number unchanged, until some sort of explicit
// directive from the user specifies that the minor version
// should be updated.
//
UCHAR MajorVersion; // offset = 0x008
UCHAR MinorVersion; // offset = 0x009
//
// VOLUME_xxx flags.
//
USHORT VolumeFlags; // offset = 0x00A
//
// The following fields will only exist on version 4 and greater
//
UCHAR LastMountedMajorVersion; // offset = 0x00C
UCHAR LastMountedMinorVersion; // offset = 0x00D
USHORT Reserved2; // offset = 0x00E
USN LowestOpenUsn; // offset = 0x010
} VOLUME_INFORMATION; // sizeof = 0xC or 0x18
typedef VOLUME_INFORMATION *PVOLUME_INFORMATION;
//
// Volume is Dirty
//
#define VOLUME_DIRTY (0x0001)
#define VOLUME_RESIZE_LOG_FILE (0x0002)
#define VOLUME_UPGRADE_ON_MOUNT (0x0004)
#define VOLUME_MOUNTED_ON_40 (0x0008)
#define VOLUME_DELETE_USN_UNDERWAY (0x0010)
#define VOLUME_REPAIR_OBJECT_ID (0x0020)
#define VOLUME_CHKDSK_RAN_ONCE (0x4000) // this bit is used by autochk/chkdsk only
#define VOLUME_MODIFIED_BY_CHKDSK (0x8000)
�//
// Common Index Header for Index Root and Index Allocation Buffers.
// This structure is used to locate the Index Entries and describe
// the free space in either of the two structures above.
//
typedef struct _INDEX_HEADER {
//
// Offset from the start of this structure to the first Index
// Entry.
//
ULONG FirstIndexEntry; // offset = 0x000
//
// Offset from the start of the first index entry to the first
// (quad-word aligned) free byte.
//
ULONG FirstFreeByte; // offset = 0x004
//
// Total number of bytes available, from the start of the first
// index entry. In the Index Root, this number must always be
// equal to FirstFreeByte, as the total attribute record will
// be grown and shrunk as required.
//
ULONG BytesAvailable; // offset = 0x008
//
// INDEX_xxx flags.
//
UCHAR Flags; // offset = 0x00C
//
// Reserved to round up to quad word boundary.
//
UCHAR Reserved[3]; // offset = 0x00D
} INDEX_HEADER; // sizeof = 0x010
typedef INDEX_HEADER *PINDEX_HEADER;
//
// INDEX_xxx flags
//
//
// This Index or Index Allocation buffer is an intermediate node,
// as opposed to a leaf in the Btree. All Index Entries will have
// a block down pointer.
//
#define INDEX_NODE (0x01)
//
// Index Root attribute. The index attribute consists of an index
// header record followed by one or more index entries.
//
typedef struct _INDEX_ROOT {
//
// Attribute Type Code of the attribute being indexed.
//
ATTRIBUTE_TYPE_CODE IndexedAttributeType; // offset = 0x000
//
// Collation rule for this index.
//
COLLATION_RULE CollationRule; // offset = 0x004
//
// Size of Index Allocation Buffer in bytes.
//
ULONG BytesPerIndexBuffer; // offset = 0x008
//
// Size of Index Allocation Buffers in units of blocks.
// Blocks will be clusters when index buffer is equal or
// larger than clusters and log blocks for large
// cluster systems.
//
UCHAR BlocksPerIndexBuffer; // offset = 0x00C
//
// Reserved to round to quad word boundary.
//
UCHAR Reserved[3]; // offset = 0x00D
//
// Index Header to describe the Index Entries which follow
//
INDEX_HEADER IndexHeader; // offset = 0x010
} INDEX_ROOT; // sizeof = 0x020
typedef INDEX_ROOT *PINDEX_ROOT;
//
// Index Allocation record is used for non-root clusters of the
// b-tree. Each non root cluster is contained in the data part of
// the index allocation attribute. Each cluster starts with an
// index allocation list header and is followed by one or more
// index entries.
//
typedef struct _INDEX_ALLOCATION_BUFFER {
//
// Multi-Sector Header as defined by the Cache Manager. This
// structure will always contain the signature "INDX" and a
// description of the location and size of the Update Sequence
// Array.
//
MULTI_SECTOR_HEADER MultiSectorHeader; // offset = 0x000
//
// Log File Sequence Number of last logged update to this Index
// Allocation Buffer.
//
LSN Lsn; // offset = 0x008
//
// We store the index block of this Index Allocation buffer for
// convenience and possible consistency checking.
//
VCN ThisBlock; // offset = 0x010
//
// Index Header to describe the Index Entries which follow
//
INDEX_HEADER IndexHeader; // offset = 0x018
//
// Update Sequence Array to protect multi-sector transfers of
// the Index Allocation Buffer.
//
UPDATE_SEQUENCE_ARRAY UpdateSequenceArray; // offset = 0x028
} INDEX_ALLOCATION_BUFFER;typedef INDEX_ALLOCATION_BUFFER *PINDEX_ALLOCATION_BUFFER;
//
// Default size of index buffer and index blocks.
//
#define DEFAULT_INDEX_BLOCK_SIZE (0x200)
#define DEFAULT_INDEX_BLOCK_BYTE_SHIFT (9)
//
// Index Entry. This structure is common to both the resident
// index list attribute and the Index Allocation records
//
typedef struct _INDEX_ENTRY {
//
// Define a union to distinguish directory indices from view indices
//
union {
//
// Reference to file containing the attribute with this
// attribute value.
//
FILE_REFERENCE FileReference; // offset = 0x000
//
// For views, describe the Data Offset and Length in bytes
//
struct {
USHORT DataOffset; // offset = 0x000
USHORT DataLength; // offset = 0x001
ULONG ReservedForZero; // offset = 0x002
}; };
//
// Length of this index entry, in bytes.
//
USHORT Length; // offset = 0x008
//
// Length of attribute value, in bytes. The attribute value
// immediately follows this record.
//
USHORT AttributeLength; // offset = 0x00A
//
// INDEX_ENTRY_xxx Flags.
//
USHORT Flags; // offset = 0x00C
//
// Reserved to round to quad-word boundary.
//
USHORT Reserved; // offset = 0x00E
//
// If this Index Entry is an intermediate node in the tree, as
// determined by the INDEX_xxx flags, then a VCN is stored at
// the end of this entry at Length - sizeof(VCN).
//
} INDEX_ENTRY; // sizeof = 0x010
typedef INDEX_ENTRY *PINDEX_ENTRY;
//
// INDEX_ENTRY_xxx flags
//
//
// This entry is currently in the intermediate node form, i.e., it
// has a Vcn at the end.
//
#define INDEX_ENTRY_NODE (0x0001)
//
// This entry is the special END record for the Index or Index
// Allocation buffer.
//
#define INDEX_ENTRY_END (0x0002)
//
// This flag is *not* part of the on-disk structure. It is defined
// and reserved here for the convenience of the implementation to
// help avoid allocating buffers from the pool and copying.
//
#define INDEX_ENTRY_POINTER_FORM (0x8000)
#define NtfsIndexEntryBlock(IE) ( \
*(PLONGLONG)((PCHAR)(IE) + (ULONG)(IE)->Length - sizeof(LONGLONG)) \ )
#define NtfsSetIndexEntryBlock(IE,IB) { \
*(PLONGLONG)((PCHAR)(IE) + (ULONG)(IE)->Length - sizeof(LONGLONG)) = (IB); \ }
#define NtfsFirstIndexEntry(IH) ( \
(PINDEX_ENTRY)((PCHAR)(IH) + (IH)->FirstIndexEntry) \ )
#define NtfsNextIndexEntry(IE) ( \
(PINDEX_ENTRY)((PCHAR)(IE) + (ULONG)(IE)->Length) \ )
#define NtfsCheckIndexBound(IE, IH) { \
if (((PCHAR)(IE) < (PCHAR)(IH)) || \ (((PCHAR)(IE) + sizeof( INDEX_ENTRY )) > ((PCHAR)Add2Ptr((IH), (IH)->BytesAvailable)))) { \ NtfsRaiseStatus(IrpContext, STATUS_FILE_CORRUPT_ERROR, NULL, NULL ); \ } \}
�//
// MFT Bitmap attribute
//
// The MFT Bitmap is simply a normal attribute stream in which
// there is one bit to represent the allocation state of each File
// Record Segment in the MFT. Bit clear means free, and bit set
// means allocated.
//
// Whenever the MFT Data attribute is extended, the MFT Bitmap
// attribute must also be extended. If the bitmap is still in a
// file record segment for the MFT, then it must be extended and
// the new bits cleared. When the MFT Bitmap is in the Nonresident
// form, then the allocation should always be sufficient to store
// enough bits to describe the MFT, however ValidDataLength insures
// that newly allocated space to the MFT Bitmap has an initial
// value of all 0's. This means that if the MFT Bitmap is extended,
// the newly represented file record segments are automatically in
// the free state.
//
// No structure definition is required; the positional offset of
// the file record segment is exactly equal to the bit offset of
// its corresponding bit in the Bitmap.
//
�//
// USN Journal Instance
//
// The following describe the current instance of the Usn journal.
//
typedef struct _USN_JOURNAL_INSTANCE {
#ifdef __cplusplus
CREATE_USN_JOURNAL_DATA JournalData;#else // __cplusplus
CREATE_USN_JOURNAL_DATA;#endif // __cplusplus
ULONGLONG JournalId; USN LowestValidUsn;
} USN_JOURNAL_INSTANCE, *PUSN_JOURNAL_INSTANCE;
//
// Reparse point index keys.
//
// The index with all the reparse points that exist in a volume at a
// given time contains entries with keys of the form
// <reparse tag, file record id>.
// The data part of these records is empty.
//
typedef struct _REPARSE_INDEX_KEY {
//
// The tag of the reparse point.
//
ULONG FileReparseTag;
//
// The file record Id where the reparse point is set.
//
LARGE_INTEGER FileId;
} REPARSE_INDEX_KEY, *PREPARSE_INDEX_KEY;
�//
// Ea Information attribute
//
// This attribute is only present if the file/directory also has an
// EA attribute. It is used to store common EA query information.
//
typedef struct _EA_INFORMATION {
//
// The size of buffer needed to pack these Ea's
//
USHORT PackedEaSize; // offset = 0x000
//
// This is the count of Ea's with their NEED_EA
// bit set.
//
USHORT NeedEaCount; // offset = 0x002
//
// The size of the buffer needed to return all Ea's
// in their unpacked form.
//
ULONG UnpackedEaSize; // offset = 0x004
} EA_INFORMATION; // sizeof = 0x008
typedef EA_INFORMATION *PEA_INFORMATION;
�//
// Define the struture of the quota data in the quota index. The key for
// the quota index is the 32 bit owner id.
//
typedef struct _QUOTA_USER_DATA { ULONG QuotaVersion; ULONG QuotaFlags; ULONGLONG QuotaUsed; ULONGLONG QuotaChangeTime; ULONGLONG QuotaThreshold; ULONGLONG QuotaLimit; ULONGLONG QuotaExceededTime; SID QuotaSid;} QUOTA_USER_DATA, *PQUOTA_USER_DATA;
//
// Define the size of the quota user data structure without the quota SID.
//
#define SIZEOF_QUOTA_USER_DATA FIELD_OFFSET(QUOTA_USER_DATA, QuotaSid)
//
// Define the current version of the quote user data.
//
#define QUOTA_USER_VERSION 2
//
// Define the quota flags.
//
#define QUOTA_FLAG_DEFAULT_LIMITS (0x00000001)
#define QUOTA_FLAG_LIMIT_REACHED (0x00000002)
#define QUOTA_FLAG_ID_DELETED (0x00000004)
#define QUOTA_FLAG_USER_MASK (0x00000007)
//
// The following flags are only stored in the quota defaults index entry.
//
#define QUOTA_FLAG_TRACKING_ENABLED (0x00000010)
#define QUOTA_FLAG_ENFORCEMENT_ENABLED (0x00000020)
#define QUOTA_FLAG_TRACKING_REQUESTED (0x00000040)
#define QUOTA_FLAG_LOG_THRESHOLD (0x00000080)
#define QUOTA_FLAG_LOG_LIMIT (0x00000100)
#define QUOTA_FLAG_OUT_OF_DATE (0x00000200)
#define QUOTA_FLAG_CORRUPT (0x00000400)
#define QUOTA_FLAG_PENDING_DELETES (0x00000800)
//
// Define special quota owner ids.
//
#define QUOTA_INVALID_ID 0x00000000
#define QUOTA_DEFAULTS_ID 0x00000001
#define QUOTA_FISRT_USER_ID 0x00000100
�//
// Attribute Definition Table
//
// The following struct defines the columns of this table.
// Initially they will be stored as simple records, and ordered by
// Attribute Type Code.
//
typedef struct _ATTRIBUTE_DEFINITION_COLUMNS {
//
// Unicode attribute name.
//
WCHAR AttributeName[64]; // offset = 0x000
//
// Attribute Type Code.
//
ATTRIBUTE_TYPE_CODE AttributeTypeCode; // offset = 0x080
//
// Default Display Rule for this attribute
//
DISPLAY_RULE DisplayRule; // offset = 0x084
//
// Default Collation rule
//
COLLATION_RULE CollationRule; // offset = 0x088
//
// ATTRIBUTE_DEF_xxx flags
//
ULONG Flags; // offset = 0x08C
//
// Minimum Length for attribute, if present.
//
LONGLONG MinimumLength; // offset = 0x090
//
// Maximum Length for attribute.
//
LONGLONG MaximumLength; // offset = 0x098
} ATTRIBUTE_DEFINITION_COLUMNS; // sizeof = 0x0A0
typedef ATTRIBUTE_DEFINITION_COLUMNS *PATTRIBUTE_DEFINITION_COLUMNS;
//
// ATTRIBUTE_DEF_xxx flags
//
//
// This flag is set if the attribute may be indexed.
//
#define ATTRIBUTE_DEF_INDEXABLE (0x00000002)
//
// This flag is set if the attribute may occur more than once, such
// as is allowed for the File Name attribute.
//
#define ATTRIBUTE_DEF_DUPLICATES_ALLOWED (0x00000004)
//
// This flag is set if the value of the attribute may not be
// entirely null, i.e., all binary 0's.
//
#define ATTRIBUTE_DEF_MAY_NOT_BE_NULL (0x00000008)
//
// This attribute must be indexed, and no two attributes may exist
// with the same value in the same file record segment.
//
#define ATTRIBUTE_DEF_MUST_BE_INDEXED (0x00000010)
//
// This attribute must be named, and no two attributes may exist
// with the same name in the same file record segment.
//
#define ATTRIBUTE_DEF_MUST_BE_NAMED (0x00000020)
//
// This attribute must be in the Resident Form.
//
#define ATTRIBUTE_DEF_MUST_BE_RESIDENT (0x00000040)
//
// Modifications to this attribute should be logged even if the
// attribute is nonresident.
//
#define ATTRIBUTE_DEF_LOG_NONRESIDENT (0X00000080)
�//
// MACROS
//
// Define some macros that are helpful for manipulating NTFS on
// disk structures.
//
//
// The following macro returns the first attribute record in a file
// record segment.
//
// PATTRIBUTE_RECORD_HEADER
// NtfsFirstAttribute (
// IN PFILE_RECORD_SEGMENT_HEADER FileRecord
// );
//
// The following macro takes a pointer to an attribute record (or
// attribute list entry) and returns a pointer to the next
// attribute record (or attribute list entry) in the list
//
// PVOID
// NtfsGetNextRecord (
// IN PATTRIB_RECORD or PATTRIB_LIST_ENTRY Struct
// );
//
//
// The following macro takes as input a attribute record or
// attribute list entry and initializes a string variable to the
// name found in the record or entry. The memory used for the
// string buffer is the memory found in the attribute.
//
// VOID
// NtfsInitializeStringFromAttribute (
// IN OUT PUNICODE_STRING Name,
// IN PATTRIBUTE_RECORD_HEADER Attribute
// );
//
// VOID
// NtfsInitializeStringFromEntry (
// IN OUT PUNICODE_STRING Name,
// IN PATTRIBUTE_LIST_ENTRY Entry
// );
//
//
// The following two macros assume resident form and should only be
// used when that state is known. They return a pointer to the
// value a resident attribute or a pointer to the byte one beyond
// the value.
//
// PVOID
// NtfsGetValue (
// IN PATTRIBUTE_RECORD_HEADER Attribute
// );
//
// PVOID
// NtfsGetBeyondValue (
// IN PATTRIBUTE_RECORD_HEADER Attribute
// );
//
// The following two macros return a boolean value indicating if
// the input attribute record is of the specified type code, or the
// indicated value. The equivalent routine to comparing attribute
// names cannot be defined as a macro and is declared in AttrSup.c
//
// BOOLEAN
// NtfsEqualAttributeTypeCode (
// IN PATTRIBUTE_RECORD_HEADER Attribute,
// IN ATTRIBUTE_TYPE_CODE Code
// );
//
// BOOLEAN
// NtfsEqualAttributeValue (
// IN PATTRIBUTE_RECORD_HEADER Attribute,
// IN PVOID Value,
// IN ULONG Length
// );
//
#define NtfsFirstAttribute(FRS) ( \
(PATTRIBUTE_RECORD_HEADER)((PCHAR)(FRS) + (FRS)->FirstAttributeOffset) \)
#define NtfsGetNextRecord(STRUCT) ( \
(PVOID)((PUCHAR)(STRUCT) + (STRUCT)->RecordLength) \)
#define NtfsCheckRecordBound(PTR, SPTR, SIZ) { \
if (((PCHAR)(PTR) < (PCHAR)(SPTR)) || ((PCHAR)(PTR) >= ((PCHAR)(SPTR) + (SIZ)))) { \ NtfsRaiseStatus(IrpContext, STATUS_FILE_CORRUPT_ERROR, NULL, NULL ); \ } \}
#define NtfsInitializeStringFromAttribute(NAME,ATTRIBUTE) { \
(NAME)->Length = (USHORT)(ATTRIBUTE)->NameLength << 1; \ (NAME)->MaximumLength = (NAME)->Length; \ (NAME)->Buffer = (PWSTR)Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->NameOffset); \}
#define NtfsInitializeStringFromEntry(NAME,ENTRY) { \
(NAME)->Length = (USHORT)(ENTRY)->AttributeNameLength << 1; \ (NAME)->MaximumLength = (NAME)->Length; \ (NAME)->Buffer = (PWSTR)((ENTRY) + 1); \}
#define NtfsGetValue(ATTRIBUTE) ( \
Add2Ptr((ATTRIBUTE), (ATTRIBUTE)->Form.Resident.ValueOffset) \)
#define NtfsGetBeyondValue(ATTRIBUTE) ( \
Add2Ptr(NtfsGetValue(ATTRIBUTE), (ATTRIBUTE)->Form.Resident.ValueLength) \)
#define NtfsEqualAttributeTypeCode(A,C) ( \
(C) == (A)->TypeCode \)
#define NtfsEqualAttributeValue(A,V,L) ( \
NtfsIsAttributeResident(A) && \ (A)->Form.Resident.ValueLength == (L) && \ RtlEqualMemory(NtfsGetValue(A),(V),(L)) \)
#pragma pack()
#endif // _NTFS_
|
