def MFT_dict(array):
mft=dict()
mft['Signature']=array[0:4]
mft['Offset_to_fixup_array']=array[4:6]
mft['Number_of_entries_in_fixup_array']=array[6:8]
mft['LogFile_Sequence_Number']=array[8:16]
mft['Sequence_Number']=array[16:18]
mft['Link_count']=array[18:20]
mft['Offset_to_first_attribute']=array[20:22]
mft['Flags']=array[22:24]
mft['Used_size_of_MFT_Entry']=array[24:28]
mft['Allocated_size_of_MFT_Entry']=array[28:32]
mft['File_reference_to_base_record']=array[32:40]
mft['Next_attribute_id']=array[40:42]
mft['Align_to_4B_boundary']=array[42:44]
mft['Number_of_this_MFT_Entry']=array[44:48]
return mft
def l_e(string): # little_endia
res=list()
for i in range(len(string)-1,-1,-1):
res.append(string[i])
return ''.join(res)
def c_h(string): # calc_hex
mul=1
res=0
for i in range(len(string)-1,-1,-1):
res+=ord(string[i])*mul
mul*=256
return res
handle=open('\\\\.\\PhysicalDrive0','rb') # 추후 다른 드라이브로 바꾸어 주어야 한다.
handle.seek(0) # 디스크 제일 앞으로 핸들위치 변경
mbr=handle.read(512) # 512바이트를 읽는다(부트섹터를 읽는것)
partition=list()
for i in range(0,4):
partition.append(mbr[446+i*16:446+i*16+0x10])
for i in range(0,4):
if partition[i][0]=='\x80' and partition[i][4]=='\x07':
print "i think this partition is windows. partition : "+str(i)
vbr_offset=str(c_h(l_e(partition[i][8:12])))
print "starting vbr : "+vbr_offset
handle.seek(int(vbr_offset)*512) # 섹터단위로 읽어야 하기 때문에 *512
vbr=handle.read(512)
ntfs={"StartOfMFT":c_h(l_e(vbr[0x30:0x38])),"SecPerClus":c_h(l_e(vbr[0x0d])),"BytesPerSec":c_h(l_e(vbr[0x0b:0x0d])),"VolBeginSec":int(vbr_offset)}
ntfs['MFTStartSec']=(ntfs['StartOfMFT']*ntfs['SecPerClus']+ntfs['VolBeginSec'])
handle.seek(ntfs['MFTStartSec']*ntfs['BytesPerSec'])
tmp=handle.read(1024)
mft=MFT_dict(tmp)
'기타' 카테고리의 다른 글
| CGC on Ubuntu (0) | 2016.08.24 |
|---|---|
| CGC? (0) | 2016.07.28 |
| Mail Encoding & UTF-8 <-> Unicode 변환 (0) | 2016.07.21 |
| Google Map API 사용(Static) (0) | 2016.07.21 |
| los.sandbox (0) | 2016.04.25 |