adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Rex/Parser/NTFS.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

1214 lines
75 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Class: Rex::Parser::NTFS
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Rex::Parser::NTFS";
relpath = '../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../_index.html">Index (N)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Parser.html" title="Rex::Parser (module)">Parser</a></span></span>
&raquo;
<span class="title">NTFS</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Class: Rex::Parser::NTFS
</h1>
<div class="box_info">
<dl>
<dt>Inherits:</dt>
<dd>
<span class="inheritName">Object</span>
<ul class="fullTree">
<li>Object</li>
<li class="next">Rex::Parser::NTFS</li>
</ul>
<a href="#" class="inheritanceTree">show all</a>
</dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/rex/parser/fs/ntfs.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This class parses the contents of an NTFS partition file. Author : Danil Bazin &lt;<a href="at">danil.bazin</a>hsc.fr&gt; @danilbaz</p>
</div>
</div>
<div class="tags">
</div>
<h2>
Constant Summary
<small><a href="#" class="constants_summary_toggle">collapse</a></small>
</h2>
<dl class="constants">
<dt id="DATA_ATTRIBUTE_ID-constant" class="">DATA_ATTRIBUTE_ID =
<div class="docstring">
<div class="discussion">
<p>Initialize the NTFS class with an already open file handler</p>
</div>
</div>
<div class="tags">
</div>
</dt>
<dd><pre class="code"><span class='int'>128</span></pre></dd>
<dt id="INDEX_ROOT_ID-constant" class="">INDEX_ROOT_ID =
</dt>
<dd><pre class="code"><span class='int'>144</span></pre></dd>
<dt id="INDEX_ALLOCATION_ID-constant" class="">INDEX_ALLOCATION_ID =
</dt>
<dd><pre class="code"><span class='int'>160</span></pre></dd>
</dl>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#cluster_from_attribute_non_resident-instance_method" title="#cluster_from_attribute_non_resident (instance method)">#<strong>cluster_from_attribute_non_resident</strong>(attribute, cluster_num = 0, size_max = ((2**31) - 1)) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#file-instance_method" title="#file (instance method)">#<strong>file</strong>(path) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>return the file path in the NTFS partition.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#file_content_from_mft_num-instance_method" title="#file_content_from_mft_num (instance method)">#<strong>file_content_from_mft_num</strong>(mft_num, size) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Get the file from the MFT number The size must be given because the $FILENAME attribute in the MFT entry does not contain it The file is in $DATA (128) Attribute.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#filename_from_filenameattribute-instance_method" title="#filename_from_filenameattribute (instance method)">#<strong>filename_from_filenameattribute</strong>(attribute) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Gather the name of the file from the $FILENAME (64) attribute.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#index_list_from_attributes-instance_method" title="#index_list_from_attributes (instance method)">#<strong>index_list_from_attributes</strong>(attributes) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>return the list of files in attribute directory and their MFT number and size.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(file_handler) &#x21d2; NTFS </a>
</span>
<span class="note title constructor">constructor</span>
<span class="summary_desc"><div class='inline'>
<p>A new instance of NTFS.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mft_record_attribute-instance_method" title="#mft_record_attribute (instance method)">#<strong>mft_record_attribute</strong>(mft_record, lazy = true) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>return the attribute list from the MFT record deal with resident and non resident attributes (but not $DATA due to performance issue) if lazy = True, this function only gather essential non resident attributes (INDEX_ALLOCATION).</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#mft_record_from_mft_num-instance_method" title="#mft_record_from_mft_num (instance method)">#<strong>mft_record_from_mft_num</strong>(mft_num) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Gather the MFT entry corresponding to his number.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#parse_index-instance_method" title="#parse_index (instance method)">#<strong>parse_index</strong>(index_entry) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>parse one index record and return the name, MFT number and size of the file.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#parse_index_list-instance_method" title="#parse_index_list (instance method)">#<strong>parse_index_list</strong>(index_record, index_allocation_attribute) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>parse index_record in $INDEX_ROOT and recursively index_record in INDEX_ALLOCATION.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#real_size_from_filenameattribute-instance_method" title="#real_size_from_filenameattribute (instance method)">#<strong>real_size_from_filenameattribute</strong>(attribute) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Get the size of the file in the $FILENAME (64) attribute.</p>
</div></span>
</li>
</ul>
<div id="constructor_details" class="method_details_list">
<h2>Constructor Details</h2>
<div class="method_details first">
<h3 class="signature first" id="initialize-instance_method">
#<strong>initialize</strong>(file_handler) &#x21d2; <tt><span class='object_link'><a href="" title="Rex::Parser::NTFS (class)">NTFS</a></span></tt>
</h3><div class="docstring">
<div class="discussion">
<p>Returns a new instance of NTFS.</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 17</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_file_handler'>file_handler</span><span class='rparen'>)</span>
<span class='ivar'>@file_handler</span> <span class='op'>=</span> <span class='id identifier rubyid_file_handler'>file_handler</span>
<span class='id identifier rubyid_data'>data</span> <span class='op'>=</span> <span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='int'>4096</span><span class='rparen'>)</span>
<span class='comment'># Boot sector reading
</span> <span class='ivar'>@bytes_per_sector</span> <span class='op'>=</span> <span class='id identifier rubyid_data'>data</span><span class='lbracket'>[</span><span class='int'>11</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='ivar'>@sector_per_cluster</span> <span class='op'>=</span> <span class='id identifier rubyid_data'>data</span><span class='lbracket'>[</span><span class='int'>13</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='ivar'>@cluster_per_mft_record</span> <span class='op'>=</span> <span class='id identifier rubyid_data'>data</span><span class='lbracket'>[</span><span class='int'>64</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>c</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='ivar'>@cluster_per_mft_record</span> <span class='op'>&lt;</span> <span class='int'>0</span>
<span class='ivar'>@bytes_per_mft_record</span> <span class='op'>=</span> <span class='int'>2</span><span class='op'>**</span><span class='lparen'>(</span><span class='op'>-</span><span class='ivar'>@cluster_per_mft_record</span><span class='rparen'>)</span>
<span class='ivar'>@cluster_per_mft_record</span> <span class='op'>=</span> <span class='ivar'>@bytes_per_mft_record</span><span class='period'>.</span><span class='id identifier rubyid_to_f'>to_f</span> <span class='op'>/</span> <span class='ivar'>@bytes_per_sector</span> <span class='op'>/</span> <span class='ivar'>@sector_per_cluster</span>
<span class='kw'>else</span>
<span class='ivar'>@bytes_per_mft_record</span> <span class='op'>=</span> <span class='ivar'>@bytes_per_sector</span> <span class='op'>*</span> <span class='ivar'>@sector_per_cluster</span> <span class='op'>*</span> <span class='ivar'>@cluster_per_mft_record</span>
<span class='kw'>end</span>
<span class='ivar'>@bytes_per_cluster</span> <span class='op'>=</span> <span class='ivar'>@sector_per_cluster</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_sector</span>
<span class='ivar'>@mft_logical_cluster_number</span> <span class='op'>=</span> <span class='id identifier rubyid_data'>data</span><span class='lbracket'>[</span><span class='int'>48</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='ivar'>@mft_offset</span> <span class='op'>=</span> <span class='ivar'>@mft_logical_cluster_number</span> <span class='op'>*</span> <span class='ivar'>@sector_per_cluster</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_sector</span>
<span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_seek'>seek</span><span class='lparen'>(</span><span class='ivar'>@mft_offset</span><span class='rparen'>)</span>
<span class='ivar'>@mft</span> <span class='op'>=</span> <span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='ivar'>@bytes_per_mft_record</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="cluster_from_attribute_non_resident-instance_method">
#<strong>cluster_from_attribute_non_resident</strong>(attribute, cluster_num = 0, size_max = ((2**31) - 1)) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 148</span>
<span class='kw'>def</span> <span class='id identifier rubyid_cluster_from_attribute_non_resident'>cluster_from_attribute_non_resident</span><span class='lparen'>(</span><span class='id identifier rubyid_attribute'>attribute</span><span class='comma'>,</span> <span class='id identifier rubyid_cluster_num'>cluster_num</span> <span class='op'>=</span> <span class='int'>0</span><span class='comma'>,</span> <span class='id identifier rubyid_size_max'>size_max</span> <span class='op'>=</span> <span class='lparen'>(</span><span class='lparen'>(</span><span class='int'>2</span><span class='op'>**</span><span class='int'>31</span><span class='rparen'>)</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_lowvcn'>lowvcn</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='int'>16</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_highvcn'>highvcn</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='int'>24</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_offset'>offset</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='int'>32</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_real_size'>real_size</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='int'>48</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_attribut'>attribut</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_run_list_num'>run_list_num</span> <span class='op'>=</span> <span class='id identifier rubyid_lowvcn'>lowvcn</span>
<span class='id identifier rubyid_old_offset'>old_offset</span> <span class='op'>=</span> <span class='int'>0</span>
<span class='kw'>while</span> <span class='id identifier rubyid_run_list_num'>run_list_num</span> <span class='op'>&lt;=</span> <span class='id identifier rubyid_highvcn'>highvcn</span>
<span class='id identifier rubyid_first_runlist_byte'>first_runlist_byte</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset'>offset</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_ord'>ord</span>
<span class='id identifier rubyid_run_offset_size'>run_offset_size</span> <span class='op'>=</span> <span class='id identifier rubyid_first_runlist_byte'>first_runlist_byte</span> <span class='op'>&gt;&gt;</span> <span class='int'>4</span>
<span class='id identifier rubyid_run_length_size'>run_length_size</span> <span class='op'>=</span> <span class='id identifier rubyid_first_runlist_byte'>first_runlist_byte</span> <span class='op'>&amp;</span> <span class='int'>15</span>
<span class='id identifier rubyid_run_length'>run_length</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset'>offset</span> <span class='op'>+</span> <span class='int'>1</span><span class='comma'>,</span> <span class='id identifier rubyid_run_length_size'>run_length_size</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_run_length'>run_length</span> <span class='op'>+=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='lparen'>(</span><span class='int'>8</span> <span class='op'>-</span> <span class='id identifier rubyid_run_length_size'>run_length_size</span><span class='rparen'>)</span>
<span class='id identifier rubyid_run_length'>run_length</span> <span class='op'>=</span> <span class='id identifier rubyid_run_length'>run_length</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_offset_run_offset'>offset_run_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_offset'>offset</span> <span class='op'>+</span> <span class='int'>1</span> <span class='op'>+</span> <span class='id identifier rubyid_run_length_size'>run_length_size</span>
<span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_run_offset'>offset_run_offset</span><span class='comma'>,</span> <span class='id identifier rubyid_run_offset_size'>run_offset_size</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_run_offset'>run_offset</span><span class='lbracket'>[</span><span class='op'>-</span><span class='int'>1</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_ord'>ord</span> <span class='op'>&amp;</span> <span class='int'>128</span> <span class='op'>==</span> <span class='int'>128</span>
<span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>+=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\xFF</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='lparen'>(</span><span class='int'>8</span> <span class='op'>-</span> <span class='id identifier rubyid_run_offset_size'>run_offset_size</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>+=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span> <span class='op'>*</span> <span class='lparen'>(</span><span class='int'>8</span> <span class='op'>-</span> <span class='id identifier rubyid_run_offset_size'>run_offset_size</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_run_offset'>run_offset</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='comment'>#offset relative to previous offset
</span> <span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>+=</span> <span class='id identifier rubyid_old_offset'>old_offset</span>
<span class='id identifier rubyid_size_wanted'>size_wanted</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='id identifier rubyid_run_length'>run_length</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span><span class='comma'>,</span> <span class='id identifier rubyid_size_max'>size_max</span> <span class='op'>-</span> <span class='id identifier rubyid_attribut'>attribut</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_min'>min</span>
<span class='kw'>if</span> <span class='id identifier rubyid_cluster_num'>cluster_num</span> <span class='op'>+</span> <span class='lparen'>(</span><span class='id identifier rubyid_size_max'>size_max</span> <span class='op'>/</span> <span class='ivar'>@bytes_per_cluster</span><span class='rparen'>)</span> <span class='op'>&gt;=</span> <span class='id identifier rubyid_run_list_num'>run_list_num</span> <span class='op'>&amp;&amp;</span> <span class='lparen'>(</span><span class='id identifier rubyid_cluster_num'>cluster_num</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_run_length'>run_length</span> <span class='op'>+</span> <span class='id identifier rubyid_run_list_num'>run_list_num</span><span class='rparen'>)</span>
<span class='id identifier rubyid_run_list_offset_in_cluster'>run_list_offset_in_cluster</span> <span class='op'>=</span> <span class='id identifier rubyid_run_offset'>run_offset</span> <span class='op'>+</span> <span class='lbracket'>[</span><span class='id identifier rubyid_cluster_num'>cluster_num</span> <span class='op'>-</span> <span class='id identifier rubyid_run_list_num'>run_list_num</span><span class='comma'>,</span> <span class='int'>0</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_max'>max</span>
<span class='id identifier rubyid_run_list_offset'>run_list_offset</span> <span class='op'>=</span> <span class='lparen'>(</span><span class='id identifier rubyid_run_list_offset_in_cluster'>run_list_offset_in_cluster</span><span class='rparen'>)</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span>
<span class='id identifier rubyid_run_list_offset'>run_list_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_run_list_offset'>run_list_offset</span><span class='period'>.</span><span class='id identifier rubyid_to_i'>to_i</span>
<span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_seek'>seek</span><span class='lparen'>(</span><span class='id identifier rubyid_run_list_offset'>run_list_offset</span><span class='rparen'>)</span>
<span class='id identifier rubyid_data'>data</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span>
<span class='kw'>while</span> <span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>&lt;</span> <span class='id identifier rubyid_size_wanted'>size_wanted</span>
<span class='comment'># Use a 4Mb block size to avoid target memory consumption
</span> <span class='id identifier rubyid_data'>data</span> <span class='op'>&lt;&lt;</span> <span class='ivar'>@file_handler</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='lbracket'>[</span><span class='id identifier rubyid_size_wanted'>size_wanted</span> <span class='op'>-</span> <span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='comma'>,</span> <span class='int'>2</span><span class='op'>**</span><span class='int'>22</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_min'>min</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_attribut'>attribut</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_data'>data</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_offset'>offset</span> <span class='op'>+=</span> <span class='id identifier rubyid_run_offset_size'>run_offset_size</span> <span class='op'>+</span> <span class='id identifier rubyid_run_length_size'>run_length_size</span> <span class='op'>+</span> <span class='int'>1</span>
<span class='id identifier rubyid_run_list_num'>run_list_num</span> <span class='op'>+=</span> <span class='id identifier rubyid_run_length'>run_length</span>
<span class='id identifier rubyid_old_offset'>old_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_run_offset'>run_offset</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_attribut'>attribut</span> <span class='op'>=</span> <span class='id identifier rubyid_attribut'>attribut</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='id identifier rubyid_real_size'>real_size</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_attribut'>attribut</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="file-instance_method">
#<strong>file</strong>(path) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>return the file path in the NTFS partition</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
241
242
243
244
245
246
247
248
249
250
251
252
253
254</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 241</span>
<span class='kw'>def</span> <span class='id identifier rubyid_file'>file</span><span class='lparen'>(</span><span class='id identifier rubyid_path'>path</span><span class='rparen'>)</span>
<span class='id identifier rubyid_repertory'>repertory</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_from_mft_num'>mft_record_from_mft_num</span><span class='lparen'>(</span><span class='int'>5</span><span class='rparen'>)</span>
<span class='id identifier rubyid_index_entry'>index_entry</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='id identifier rubyid_path'>path</span><span class='period'>.</span><span class='id identifier rubyid_split'>split</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>\\</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_r'>r</span><span class='op'>|</span>
<span class='id identifier rubyid_attributes'>attributes</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_attribute'>mft_record_attribute</span><span class='lparen'>(</span><span class='id identifier rubyid_repertory'>repertory</span><span class='rparen'>)</span>
<span class='id identifier rubyid_index'>index</span> <span class='op'>=</span> <span class='id identifier rubyid_index_list_from_attributes'>index_list_from_attributes</span><span class='lparen'>(</span><span class='id identifier rubyid_attributes'>attributes</span><span class='rparen'>)</span>
<span class='kw'>unless</span> <span class='id identifier rubyid_index'>index</span><span class='period'>.</span><span class='id identifier rubyid_key?'>key?</span><span class='lparen'>(</span><span class='id identifier rubyid_r'>r</span><span class='rparen'>)</span>
<span class='id identifier rubyid_fail'>fail</span> <span class='const'>ArgumentError</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>File path does not exist</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_caller'>caller</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_index_entry'>index_entry</span> <span class='op'>=</span> <span class='id identifier rubyid_index'>index</span><span class='lbracket'>[</span><span class='id identifier rubyid_r'>r</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_repertory'>repertory</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_from_mft_num'>mft_record_from_mft_num</span><span class='lparen'>(</span><span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>mft_offset</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_file_content_from_mft_num'>file_content_from_mft_num</span><span class='lparen'>(</span><span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>mft_offset</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>file_size</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="file_content_from_mft_num-instance_method">
#<strong>file_content_from_mft_num</strong>(mft_num, size) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Get the file from the MFT number The size must be given because the $FILENAME attribute in the MFT entry does not contain it The file is in $DATA (128) Attribute</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
71
72
73
74
75
76
77
78
79
80</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 71</span>
<span class='kw'>def</span> <span class='id identifier rubyid_file_content_from_mft_num'>file_content_from_mft_num</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_num'>mft_num</span><span class='comma'>,</span> <span class='id identifier rubyid_size'>size</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mft_record'>mft_record</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_from_mft_num'>mft_record_from_mft_num</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_num'>mft_num</span><span class='rparen'>)</span>
<span class='id identifier rubyid_attribute_list'>attribute_list</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_attribute'>mft_record_attribute</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_record'>mft_record</span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_attribute_list'>attribute_list</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>resident</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>return</span> <span class='id identifier rubyid_attribute_list'>attribute_list</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_data_attribute'>data_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute_list'>attribute_list</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='kw'>return</span> <span class='id identifier rubyid_cluster_from_attribute_non_resident'>cluster_from_attribute_non_resident</span><span class='lparen'>(</span><span class='id identifier rubyid_data_attribute'>data_attribute</span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='id identifier rubyid_size'>size</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="filename_from_filenameattribute-instance_method">
#<strong>filename_from_filenameattribute</strong>(attribute) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Gather the name of the file from the $FILENAME (64) attribute</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
57
58
59
60
61
62
63</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 57</span>
<span class='kw'>def</span> <span class='id identifier rubyid_filename_from_filenameattribute'>filename_from_filenameattribute</span><span class='lparen'>(</span><span class='id identifier rubyid_attribute'>attribute</span><span class='rparen'>)</span>
<span class='id identifier rubyid_filename_attribute'>filename_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span>
<span class='id identifier rubyid_length_of_name'>length_of_name</span> <span class='op'>=</span> <span class='id identifier rubyid_filename_attribute'>filename_attribute</span><span class='lbracket'>[</span><span class='int'>64</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_ord'>ord</span>
<span class='comment'># uft16 *2
</span> <span class='id identifier rubyid_d'>d</span> <span class='op'>=</span> <span class='op'>::</span><span class='const'>Encoding</span><span class='op'>::</span><span class='const'>Converter</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>UTF-16LE</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>UTF-8</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_d'>d</span><span class='period'>.</span><span class='id identifier rubyid_convert'>convert</span><span class='lparen'>(</span><span class='id identifier rubyid_filename_attribute'>filename_attribute</span><span class='lbracket'>[</span><span class='int'>66</span><span class='comma'>,</span> <span class='lparen'>(</span><span class='id identifier rubyid_length_of_name'>length_of_name</span> <span class='op'>*</span> <span class='int'>2</span><span class='rparen'>)</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="index_list_from_attributes-instance_method">
#<strong>index_list_from_attributes</strong>(attributes) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>return the list of files in attribute directory and their MFT number and size</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
138
139
140
141
142
143
144
145
146</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 138</span>
<span class='kw'>def</span> <span class='id identifier rubyid_index_list_from_attributes'>index_list_from_attributes</span><span class='lparen'>(</span><span class='id identifier rubyid_attributes'>attributes</span><span class='rparen'>)</span>
<span class='id identifier rubyid_index_root_attribute'>index_root_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_attributes'>attributes</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#INDEX_ROOT_ID-constant" title="Rex::Parser::NTFS::INDEX_ROOT_ID (constant)">INDEX_ROOT_ID</a></span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_index_record'>index_record</span> <span class='op'>=</span> <span class='id identifier rubyid_index_root_attribute'>index_root_attribute</span><span class='lbracket'>[</span><span class='int'>16</span><span class='comma'>,</span> <span class='id identifier rubyid_index_root_attribute'>index_root_attribute</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>-</span> <span class='int'>16</span><span class='rbracket'>]</span>
<span class='kw'>if</span> <span class='id identifier rubyid_attributes'>attributes</span><span class='period'>.</span><span class='id identifier rubyid_key?'>key?</span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="#INDEX_ALLOCATION_ID-constant" title="Rex::Parser::NTFS::INDEX_ALLOCATION_ID (constant)">INDEX_ALLOCATION_ID</a></span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='id identifier rubyid_parse_index_list'>parse_index_list</span><span class='lparen'>(</span><span class='id identifier rubyid_index_record'>index_record</span><span class='comma'>,</span> <span class='id identifier rubyid_attributes'>attributes</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#INDEX_ALLOCATION_ID-constant" title="Rex::Parser::NTFS::INDEX_ALLOCATION_ID (constant)">INDEX_ALLOCATION_ID</a></span></span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='kw'>return</span> <span class='id identifier rubyid_parse_index_list'>parse_index_list</span><span class='lparen'>(</span><span class='id identifier rubyid_index_record'>index_record</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mft_record_attribute-instance_method">
#<strong>mft_record_attribute</strong>(mft_record, lazy = true) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>return the attribute list from the MFT record deal with resident and non resident attributes (but not $DATA due to performance issue) if lazy = True, this function only gather essential non resident attributes (INDEX_ALLOCATION). Non resident attributes can still be gathered later with cluster_from_attribute_non_resident function.</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 204</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mft_record_attribute'>mft_record_attribute</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_record'>mft_record</span><span class='comma'>,</span> <span class='id identifier rubyid_lazy'>lazy</span><span class='op'>=</span><span class='kw'>true</span><span class='rparen'>)</span>
<span class='id identifier rubyid_attribute_list_offset'>attribute_list_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='int'>20</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>C</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_curs'>curs</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute_list_offset'>attribute_list_offset</span>
<span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='kw'>while</span> <span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>!=</span> <span class='int'>0xFFFFFFFF</span>
<span class='comment'># attribute_size=mft_record[curs + 4, 4].unpack(&#39;V&#39;)[0]
</span> <span class='comment'># should be on 4 bytes but doesnt work
</span> <span class='id identifier rubyid_attribute_size'>attribute_size</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='int'>4</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='comment'># resident
</span> <span class='kw'>if</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='int'>8</span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_content_size'>content_size</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='int'>16</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_content_offset'>content_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='int'>20</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='id identifier rubyid_content_offset'>content_offset</span><span class='comma'>,</span> <span class='id identifier rubyid_content_size'>content_size</span><span class='rbracket'>]</span>
<span class='kw'>else</span>
<span class='comment'># non resident
</span> <span class='kw'>if</span> <span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="#INDEX_ALLOCATION_ID-constant" title="Rex::Parser::NTFS::INDEX_ALLOCATION_ID (constant)">INDEX_ALLOCATION_ID</a></span></span> <span class='kw'>or</span>
<span class='lparen'>(</span><span class='op'>!</span><span class='id identifier rubyid_lazy'>lazy</span> <span class='kw'>and</span> <span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>!=</span> <span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_cluster_from_attribute_non_resident'>cluster_from_attribute_non_resident</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span><span class='comma'>,</span> <span class='id identifier rubyid_attribute_size'>attribute_size</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span><span class='comma'>,</span> <span class='id identifier rubyid_attribute_size'>attribute_size</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='kw'>if</span> <span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>==</span> <span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span><span class='rbracket'>]</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>resident</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span> <span class='op'>+</span> <span class='int'>8</span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>\x00</span><span class='tstring_end'>&quot;</span></span> <span class='rbrace'>}</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_curs'>curs</span> <span class='op'>+=</span> <span class='id identifier rubyid_attribute_size'>attribute_size</span>
<span class='id identifier rubyid_attribute_identifier'>attribute_identifier</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record'>mft_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_curs'>curs</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_res'>res</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="mft_record_from_mft_num-instance_method">
#<strong>mft_record_from_mft_num</strong>(mft_num) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Gather the MFT entry corresponding to his number</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
40
41
42
43
44</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 40</span>
<span class='kw'>def</span> <span class='id identifier rubyid_mft_record_from_mft_num'>mft_record_from_mft_num</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_num'>mft_num</span><span class='rparen'>)</span>
<span class='id identifier rubyid_mft_num_offset'>mft_num_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_num'>mft_num</span> <span class='op'>*</span> <span class='ivar'>@cluster_per_mft_record</span>
<span class='id identifier rubyid_mft_data_attribute'>mft_data_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_mft_record_attribute'>mft_record_attribute</span><span class='lparen'>(</span><span class='ivar'>@mft</span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='const'><span class='object_link'><a href="#DATA_ATTRIBUTE_ID-constant" title="Rex::Parser::NTFS::DATA_ATTRIBUTE_ID (constant)">DATA_ATTRIBUTE_ID</a></span></span><span class='rbracket'>]</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>data</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_cluster_from_attribute_non_resident'>cluster_from_attribute_non_resident</span><span class='lparen'>(</span><span class='id identifier rubyid_mft_data_attribute'>mft_data_attribute</span><span class='comma'>,</span> <span class='id identifier rubyid_mft_num_offset'>mft_num_offset</span><span class='comma'>,</span> <span class='ivar'>@bytes_per_mft_record</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="parse_index-instance_method">
#<strong>parse_index</strong>(index_entry) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>parse one index record and return the name, MFT number and size of the file</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
85
86
87
88
89
90
91
92
93
94
95
96
97</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 85</span>
<span class='kw'>def</span> <span class='id identifier rubyid_parse_index'>parse_index</span><span class='lparen'>(</span><span class='id identifier rubyid_index_entry'>index_entry</span><span class='rparen'>)</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='id identifier rubyid_filename_size'>filename_size</span> <span class='op'>=</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>10</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_filename_attribute'>filename_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>16</span><span class='comma'>,</span> <span class='id identifier rubyid_filename_size'>filename_size</span><span class='rbracket'>]</span>
<span class='comment'># Should be 8 bytes but it doesn&#39;t work
</span> <span class='comment'># mft_offset = index_entry[0.unpack(&#39;Q&lt;&#39;,:8])[0]
</span> <span class='comment'># work with 4 bytes
</span> <span class='id identifier rubyid_mft_offset'>mft_offset</span> <span class='op'>=</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_res'>res</span><span class='lbracket'>[</span><span class='id identifier rubyid_filename_from_filenameattribute'>filename_from_filenameattribute</span><span class='lparen'>(</span><span class='id identifier rubyid_filename_attribute'>filename_attribute</span><span class='rparen'>)</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='lbrace'>{</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>mft_offset</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_mft_offset'>mft_offset</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>file_size</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_real_size_from_filenameattribute'>real_size_from_filenameattribute</span><span class='lparen'>(</span><span class='id identifier rubyid_filename_attribute'>filename_attribute</span><span class='rparen'>)</span> <span class='rbrace'>}</span>
<span class='id identifier rubyid_res'>res</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="parse_index_list-instance_method">
#<strong>parse_index_list</strong>(index_record, index_allocation_attribute) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>parse index_record in $INDEX_ROOT and recursively index_record in INDEX_ALLOCATION</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 103</span>
<span class='kw'>def</span> <span class='id identifier rubyid_parse_index_list'>parse_index_list</span><span class='lparen'>(</span><span class='id identifier rubyid_index_record'>index_record</span><span class='comma'>,</span> <span class='id identifier rubyid_index_allocation_attribute'>index_allocation_attribute</span><span class='rparen'>)</span>
<span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span> <span class='op'>=</span> <span class='id identifier rubyid_index_record'>index_record</span><span class='lbracket'>[</span><span class='int'>0</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_index_size'>index_size</span> <span class='op'>=</span> <span class='id identifier rubyid_index_record'>index_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span> <span class='op'>+</span> <span class='int'>8</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_index_size_in_bytes'>index_size_in_bytes</span> <span class='op'>=</span> <span class='id identifier rubyid_index_size'>index_size</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span>
<span class='id identifier rubyid_index_entry'>index_entry</span> <span class='op'>=</span> <span class='id identifier rubyid_index_record'>index_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span><span class='comma'>,</span> <span class='id identifier rubyid_index_size'>index_size</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_res'>res</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
<span class='kw'>while</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>12</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>&amp;</span> <span class='int'>2</span> <span class='op'>!=</span> <span class='int'>2</span>
<span class='id identifier rubyid_res'>res</span><span class='period'>.</span><span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_parse_index'>parse_index</span><span class='lparen'>(</span><span class='id identifier rubyid_index_entry'>index_entry</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='comment'># if son
</span> <span class='kw'>if</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>12</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>&amp;</span> <span class='int'>1</span> <span class='op'>==</span> <span class='int'>1</span>
<span class='comment'># should be 8 bytes length
</span> <span class='id identifier rubyid_vcn'>vcn</span> <span class='op'>=</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='op'>-</span><span class='int'>8</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_vcn_in_bytes'>vcn_in_bytes</span> <span class='op'>=</span> <span class='id identifier rubyid_vcn'>vcn</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span>
<span class='id identifier rubyid_res_son'>res_son</span> <span class='op'>=</span> <span class='id identifier rubyid_parse_index_list'>parse_index_list</span><span class='lparen'>(</span><span class='id identifier rubyid_index_allocation_attribute'>index_allocation_attribute</span><span class='lbracket'>[</span><span class='id identifier rubyid_vcn_in_bytes'>vcn_in_bytes</span> <span class='op'>+</span> <span class='int'>24</span><span class='comma'>,</span> <span class='id identifier rubyid_index_size_in_bytes'>index_size_in_bytes</span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_index_allocation_attribute'>index_allocation_attribute</span><span class='rparen'>)</span>
<span class='id identifier rubyid_res'>res</span><span class='period'>.</span><span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_res_son'>res_son</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span> <span class='op'>+=</span> <span class='id identifier rubyid_index_size'>index_size</span>
<span class='id identifier rubyid_index_size'>index_size</span> <span class='op'>=</span> <span class='id identifier rubyid_index_record'>index_record</span><span class='lbracket'>[</span><span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span> <span class='op'>+</span> <span class='int'>8</span><span class='comma'>,</span> <span class='int'>2</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>v</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_index_size_in_bytes'>index_size_in_bytes</span> <span class='op'>=</span> <span class='id identifier rubyid_index_size'>index_size</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span>
<span class='id identifier rubyid_index_entry'>index_entry</span> <span class='op'>=</span> <span class='id identifier rubyid_index_record'>index_record</span> <span class='lbracket'>[</span><span class='id identifier rubyid_offset_index_entry_list'>offset_index_entry_list</span><span class='comma'>,</span> <span class='id identifier rubyid_index_size'>index_size</span><span class='rbracket'>]</span>
<span class='kw'>end</span>
<span class='comment'># if son on the last
</span> <span class='kw'>if</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='int'>12</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>&amp;</span> <span class='int'>1</span> <span class='op'>==</span> <span class='int'>1</span>
<span class='comment'># should be 8 bytes length
</span> <span class='id identifier rubyid_vcn'>vcn</span> <span class='op'>=</span> <span class='id identifier rubyid_index_entry'>index_entry</span><span class='lbracket'>[</span><span class='op'>-</span><span class='int'>8</span><span class='comma'>,</span> <span class='int'>4</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>V</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='id identifier rubyid_vcn_in_bytes'>vcn_in_bytes</span> <span class='op'>=</span> <span class='id identifier rubyid_vcn'>vcn</span> <span class='op'>*</span> <span class='ivar'>@bytes_per_cluster</span>
<span class='id identifier rubyid_res_son'>res_son</span> <span class='op'>=</span> <span class='id identifier rubyid_parse_index_list'>parse_index_list</span><span class='lparen'>(</span><span class='id identifier rubyid_index_allocation_attribute'>index_allocation_attribute</span><span class='lbracket'>[</span><span class='id identifier rubyid_vcn_in_bytes'>vcn_in_bytes</span> <span class='op'>+</span> <span class='int'>24</span><span class='comma'>,</span> <span class='id identifier rubyid_index_size_in_bytes'>index_size_in_bytes</span><span class='rbracket'>]</span><span class='comma'>,</span> <span class='id identifier rubyid_index_allocation_attribute'>index_allocation_attribute</span><span class='rparen'>)</span>
<span class='id identifier rubyid_res'>res</span><span class='period'>.</span><span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_res_son'>res_son</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_res'>res</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="real_size_from_filenameattribute-instance_method">
#<strong>real_size_from_filenameattribute</strong>(attribute) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Get the size of the file in the $FILENAME (64) attribute</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
49
50
51
52</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/rex/parser/fs/ntfs.rb', line 49</span>
<span class='kw'>def</span> <span class='id identifier rubyid_real_size_from_filenameattribute'>real_size_from_filenameattribute</span><span class='lparen'>(</span><span class='id identifier rubyid_attribute'>attribute</span><span class='rparen'>)</span>
<span class='id identifier rubyid_filename_attribute'>filename_attribute</span> <span class='op'>=</span> <span class='id identifier rubyid_attribute'>attribute</span>
<span class='id identifier rubyid_filename_attribute'>filename_attribute</span><span class='lbracket'>[</span><span class='int'>48</span><span class='comma'>,</span> <span class='int'>8</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_unpack'>unpack</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Q&lt;</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:04:06 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink