NTFS0x90属性和0xa0属性和0xb0属性的一一对应关系是index_entry中的index_node中VCN和runlist和bitmap

sitelist2025-05-27 19:48

第一部分:

0: kd> dt _FILE_RECORD_SEGMENT_HEADER 0xc1241400

Ntfs!_FILE_RECORD_SEGMENT_HEADER

+0x000 MultiSectorHeader : _MULTI_SECTOR_HEADER

+0x008 Lsn : _LARGE_INTEGER 0x80e74aa

+0x010 SequenceNumber : 5

+0x012 ReferenceCount : 1

+0x014 FirstAttributeOffset : 0x38

+0x016 Flags : 3

+0x018 FirstFreeByte : 0x2b8

+0x01c BytesAvailable : 0x400

+0x020 BaseFileRecordSegment : _MFT_SEGMENT_REFERENCE

+0x028 NextAttributeInstance : 0xa

+0x02a SegmentNumberHighPart : 0

+0x02c SegmentNumberLowPart : 5

+0x030 UpdateArrayForCreateOnly : [1] 0x131

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x10

+0x004 RecordLength : 0x48

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 0

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x30

+0x004 RecordLength : 0x60

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 1

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x40

+0x004 RecordLength : 0x28

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0

+0x00c Flags : 0

+0x00e Instance : 9

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x50

+0x004 RecordLength : 0x48

+0x008 FormCode : 0x1 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0x40

+0x00c Flags : 0

+0x00e Instance : 2

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0x90

+0x004 RecordLength : 0xe0

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 6

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xa0

+0x004 RecordLength : 0x58

+0x008 FormCode : 0x1 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x40

+0x00c Flags : 0

+0x00e Instance : 8

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0+58

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xb0

+0x004 RecordLength : 0x28

+0x008 FormCode : 0 ''

+0x009 NameLength : 0x4 ''

+0x00a NameOffset : 0x18

+0x00c Flags : 0

+0x00e Instance : 7

+0x010 Form : __unnamed

0: kd> dt ATTRIBUTE_RECORD_HEADER 0xc1241400+38+48+60+28+48+e0+58+28

Ntfs!ATTRIBUTE_RECORD_HEADER

+0x000 TypeCode : 0xffffffff

+0x004 RecordLength : 0

+0x008 FormCode : 0 ''

+0x009 NameLength : 0 ''

+0x00a NameOffset : 0

+0x00c Flags : 0

+0x00e Instance : 0

+0x010 Form : __unnamed

第二部分:

0: kd> db 0xc1241400+38+48+60+28+48+e0+58

c1241688 b0 00 00 00 28 00 00 00-00 04 18 00 00 00 07 00 ....(...........

c1241698 08 00 00 00 20 00 00 00-24 00 49 00 33 00 30 00 .... ...$.I.3.0.

c12416a8 03 00 00 00 00 00 00 00-ff ff ff ff 00 00 00 00 ................

c12416b8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

c12416c8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

c12416d8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

c12416e8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

c12416f8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

c12416a8 03 00 00 00 00

0011 0000 0000 0000 说明第一个vcn和第二个vcn都被使用

第三部分:

0: kd> db 0xc1241400+38+48+60+28+48+e0

c1241630 a0 00 00 00 58 00 00 00-01 04 40 00 00 00 08 00 ....X.....@.....

c1241640 00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00 ................

c1241650 48 00 00 00 00 00 00 00-00 20 00 00 00 00 00 00 H........ ......

c1241660 00 20 00 00 00 00 00 00-00 20 00 00 00 00 00 00 . ....... ......

c1241670 24 00 49 00 33 00 30 00-31 01 5d 71 51 31 01 8c $.I.3.0.1.]qQ1..

c1241680 6a b0 00 e1 48 d9 17 ba-b0 00 00 00 28 00 00 00 j...H.......(...

c1241690 00 04 18 00 00 00 07 00-08 00 00 00 20 00 00 00 ............ ...

c12416a0 24 00 49 00 33 00 30 00-03 00 00 00 00 00 00 00 $.I.3.0.........

31 01 5d 71 51 长度为1:0x51715d是LCN号

31 01 8c 6a b0 长度为1:0xbo6a8c是LCN号

第四部分:

0: kd> dt index_root 0xc1241400+38+48+60+28+48+20

Ntfs!INDEX_ROOT

+0x000 IndexedAttributeType : 0x30

+0x004 CollationRule : 1

+0x008 BytesPerIndexBuffer : 0x1000

+0x00c BlocksPerIndexBuffer : 0x1 ''

+0x00d Reserved : [3] ""

+0x010 IndexHeader : _INDEX_HEADER

0: kd> dx -id 0,0,899a2278 -r1 (*((Ntfs!_INDEX_HEADER *)0xc1241580))

(*((Ntfs!_INDEX_HEADER *)0xc1241580)) [Type: _INDEX_HEADER]

+0x000\] FirstIndexEntry : 0x10 \[Type: unsigned long

+0x004\] FirstFreeByte : 0xb0 \[Type: unsigned long

+0x008\] BytesAvailable : 0xb0 \[Type: unsigned long

+0x00c\] Flags : 0x1 \[Type: unsigned char

+0x00d\] Reserved \[Type: unsigned char \[3\]

0: kd> dt index_entry 0xc1241400+38+48+60+28+48+20+20

Ntfs!INDEX_ENTRY

+0x000 FileReference : _MFT_SEGMENT_REFERENCE

+0x000 DataOffset : 0xd4a

+0x002 DataLength : 0

+0x004 ReservedForZero : 0x10000

+0x008 Length : 0x88

+0x00a AttributeLength : 0x6e

+0x00c Flags : 1 //索引节点VCN 00000000 00000000

+0x00e Reserved : 0

0: kd> dd 0xc1241400+38+48+60+28+48+20+20+88-8

c1241610 00000000 00000000 00000000 00000000

c1241620 00000018 00000003 00000001 00000000

c1241630 000000a0 00000058 00400401 00080000

c1241640 00000000 00000000 00000001 00000000

c1241650 00000048 00000000 00002000 00000000

c1241660 00002000 00000000 00002000 00000000

c1241670 00490024 00300033 715d0131 8c013151

c1241680 e100b06a ba17d948 000000b0 00000028

0: kd> dt index_entry 0xc1241400+38+48+60+28+48+20+20+88

Ntfs!INDEX_ENTRY

+0x000 FileReference : _MFT_SEGMENT_REFERENCE

+0x000 DataOffset : 0

+0x002 DataLength : 0

+0x004 ReservedForZero : 0

+0x008 Length : 0x18

+0x00a AttributeLength : 0

+0x00c Flags : 3 //索引节点VCN c1241628 00000001 00000000

+0x00e Reserved : 0

0: kd> dd 0xc1241400+38+48+60+28+48+20+20+88+18-8

c1241628 00000001 00000000 000000a0 00000058

c1241638 00400401 00080000 00000000 00000000

c1241648 00000001 00000000 00000048 00000000

c1241658 00002000 00000000 00002000 00000000

c1241668 00002000 00000000 00490024 00300033

c1241678 715d0131 8c013151 e100b06a ba17d948

c1241688 000000b0 00000028 00180400 00070000

c1241698 00000008 00000020 00490024 00300033

相关推荐
这孩子叫逆8 个月前
Redis实战(使用Scan,Lua脚本,一次扣多个库存,多线程并发使用,并发获取分布式锁,BItMap实现签到和在线统计)
java·redis·bitmap·scan
菠萝加点糖10 个月前
Android 中处理 RGB24 格式数据
android·bitmap
surpassLiang1 年前
基于BitMap的工作日间隔计算
数据库·bitmap·bitset·工作日计算·postgesql
xiangxiongfly9151 年前
Android 通过View生成Bitmap
android·bitmap
一叶知秋临1 年前
Redis基本概念
redis·bitmap·zset·geo·hyperlog
NPE~1 年前
Golang基于Redis bitmap实现布隆过滤器(完结版)
开发语言·redis·后端·缓存·golang·bitmap·布隆过滤器
吕氏春秋i1 年前
Android Glide从网络加载图片 点击可放大查看效果
android·glide·图片放大·bitmap
bcbobo21cn1 年前
C# Bitmap类学习1
开发语言·c#·bitmap·setpixel
热门推荐
01YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】02KGG转MP3工具|非KGM文件|解密音频03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04DeepSeek各版本说明与优缺点分析05【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!06组基轨迹建模 GBTM的介绍与实现(Stata 或 R)07【2025年最新】OpenWrt 更换国内源的指南(图形界面版)08VMware虚拟机安装Win7专业版保姆级教程(附镜像包)09Coze扣子平台完整体验和实践(附国内和国际版对比)10yolov8实战第五天——yolov8+ffmpg实时视频流检测并进行实时推流——(推流,保姆教学)