xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加工具Xcon English Version

NtfsStreamsEditor.zip


提交时间:2006-03-18
提交用户:smzd2005
工具分类:其它工具
运行平台:Windows
工具大小:356876 Bytes
文件MD5 :abd453c1d3951a427842df38c5425062
工具来源:http://www.freewebs.com/okwin/

NtfsStreamsEditor V1.0

1.简介
NtfsStreamsEditor是对NTFS分区的文件的数据流进行编辑,删除,
附加,备份和还原的强大工具。

注意:没有任何明确或暗示形式的担保。你使用要自己承担风险。
不管是作者还是作者的代理,都没有责任对使用或误用本软件时
的数据丢失、损坏、利益损失或其它任何形式的损失负责。


2.关于NTFS分区的数据流
NTFS分区的数据流是一个子文件系统允许额外的数据连接到一个
特别的文件中,现在的FAT/FAT32文件系统格式是不支持数据流格式的。

3.关于NTFS文件系统中的数据流问题
参见http://www.xfocus.net/articles/200103/81.html


4.FAQ
Q:能否建立C:\:.:$DATA或者C:\:www.txt:$DATA这样的流,并能删除吗?
A:可以附加或者删除,但是无法编辑。请小心可能的危害。

5.部分核心源码

type

   IO_STATUS_BLOCK=record
   Status:INTEGER;
   Information:ULONG;
   end;
PIO_STATUS_BLOCK=^IO_STATUS_BLOCK;

   PFILE_STREAM_INFORMATION=^FILE_STREAM_INFORMATION;
   FILE_STREAM_INFORMATION=packed record
       NextEntry:ULONG;
      NameLength:ULONG;
      Size:LARGE_INTEGER;
      AllocationSize:LARGE_INTEGER;
    pName:WORD;
   end;

   FILE_INFORMATION_CLASS=INTEGER;

   TNtQueryInformationFile=function(
                FileHandle:THANDLE;
                IoStatusBlock:PIO_STATUS_BLOCK;
                FileInformation:Pointer;
                Length:ULONG;
                FileInformationClass:FILE_INFORMATION_CLASS):INTEGER;stdcall;
    PTNtQueryInformationFile=^TNtQueryInformationFile;

   TRtlNtStatusToDosError=function(Status:INTEGER):ULONG;stdcall;
    PTRtlNtStatusToDosError=^TRtlNtStatusToDosError;

   PIO_APC_ROUTINE=^IO_APC_ROUTINE;
   IO_APC_ROUTINE=procedure(
    ApcContext:Pointer;
   IoStatusBlock:PIO_STATUS_BLOCK;
   Reserved:ULONG);

procedure GetAFileInfo(filename:string;pTRR:TReturnResult);
var
   pfilename:array[0..MAX_PATH]of widechar;
   fileHandle:Thandle;
   streamInfoStructMemPtr:Pointer;
   streamInfoStructPtr:PFILE_STREAM_INFORMATION;
   streamInfoSize:ULONG;
   streamName:array[0..MAX_PATH]of wchar;
   pstreamsInfo:PStreamInfo;
   heapHandle:THandle;
   ioStatus:IO_STATUS_BLOCK;
   status:Integer;  
   tempfilesize:ULONG;
begin
   //initial
   pTRR.pRR.filename:= filename;
   pTRR.pRR.errorinfo:=EI_UnKnown;
   pTRR.pRR.myList.Clear;

   //open file
   StringToWidechar(filename, pfilename,MAX_PATH);
   fileHandle:=CreateFileW(pfilename,
                          GENERIC_READ,
                          FILE_SHARE_READ or FILE_SHARE_WRITE,nil,
                          OPEN_EXISTING,
                          FILE_FLAG_BACKUP_SEMANTICS,0);
   if (fileHandle=INVALID_HANDLE_VALUE) then
   begin
      pTRR.pRR.errorinfo:=EI_F_CanNotOpenFile;
      CloseHandle(fileHandle);
      Exit;
   end;

   pTRR.pRR.errorinfo:=EI_F_NoStreams;

   tempfilesize:=GetFileSize(fileHandle,nil);
   if INVALID_FILE_SIZE=tempfilesize then
   begin
     pTRR.pRR.filelength:=0;
   end else
   pTRR.pRR.filelength:=tempfilesize;

   streamInfoSize:=$4000;
   heapHandle:=HeapCreate(HEAP_NO_SERIALIZE,streamInfoSize,0);
   streamInfoStructMemPtr:=HeapAlloc(heapHandle,HEAP_ZERO_MEMORY,streamInfoSize);
   status:=STATUS_BUFFER_OVERFLOW;
   while(status=STATUS_BUFFER_OVERFLOW)do
   begin
      status:=NtQueryInformationFile(fileHandle,
                                    @ioStatus,
                                    streamInfoStructMemPtr,
                                    streamInfoSize,
                                    FILESTREAMINFOMATION);
      if(status=STATUS_BUFFER_OVERFLOW)then
      begin
         streamInfoSize:=streamInfoSize+$4000;
         if (streamInfoSize>$3200000) then
         begin
           pTRR.pRR.errorinfo:=EI_F_CanNotGetStreamsInfo;
           HeapFree(heapHandle,HEAP_NO_SERIALIZE,streamInfoStructMemPtr);
           CloseHandle(filehandle);
           Exit;
         end;
         HeapReAlloc(heapHandle,HEAP_ZERO_MEMORY,streamInfoStructMemPtr,streamInfoSize);
      end else
      begin
          break;
      end;
    end;//while end  
      /// if success
      if((status>=0) and (ioStatus.Information<>0))then
      begin
         streamInfoStructPtr:=streamInfoStructMemPtr;
         while(TRUE)do
         begin
           Move(streamInfoStructPtr^.pName,streamName,streamInfoStructPtr^.NameLength);
           streamName[streamInfoStructPtr^.NameLength div 2]:=#0;
           if not (WideCompareText(streamName,DEFAULTSTREAMNAME)=0)then
           begin
             new(pstreamsInfo);
             pstreamsInfo^.streamname:= WidechartoString(streamName);
             pstreamsInfo^.streamsize:=streamInfoStructPtr.Size.QuadPart;
             pTRR.pRR.myList.Add(pstreamsInfo);
           end;
           if (streamInfoStructPtr^.NextEntry=0) then break;
           streamInfoStructPtr:=Pointer(DWORD(streamInfoStructPtr)+streamInfoStructPtr^.NextEntry);
         end;
            pTRR.pRR.errorinfo:=EI_F_GetStreamsInfoOK;
      end else
      begin
          if (status<0) then
          begin
             pTRR.pRR.errorinfo:=EI_F_NoStreams;
          end;
      end;
      /// end if success
     HeapFree(heapHandle,HEAP_NO_SERIALIZE,streamInfoStructMemPtr);

     CloseHandle(filehandle);

end;

>> 下载 <<