;DMDE Disk Editor Templates [MFT Record] ;uncomment guid to use by default: guid:{1df5ef71-7ae4-b176-c967-f94c63c5fb7a} flow:1 CALCSIZESTART $1:={0x1C,2} IF $1<1024 $1:=1024 ENDIF $RECSIZE:=$1 CALCSIZEEND LOADSTART $1:={0x04,2} ;fixups offset IF $1<0x2A OR $1>=$RECSIZE GOTO:1 ENDIF $2:={0x06,2} ;fixups count IF $2<=1 GOTO:1 ENDIF $3:=0x1FE ;seq. offset ;insert fixups: IF {$3,2}={$1,2} $1:=$1+2 WHILE 1 $2:=$2-1 {$3,2}:={$1,2} $1:=$1+2 $3:=$3+0x200 IF NOT $2 OR $3>=$RECSIZE BREAK ENDIF ENDWHILE ENDIF LABEL:1 LOADEND FLUSHSTART $1:={0x04,2} IF $1<0x2A OR $1>=$RECSIZE GOTO:1 ENDIF $2:={0x06,2} IF $2<=1 GOTO:1 ENDIF $3:=0x1FE $4:={$1,2} $1:=$1+2 $2:=$2-1 WHILE 1 {$1,2}:={$3,2} {$3,2}:=$4 $1:=$1+2 $2:=$2-1 $3:=$3+0x200 IF NOT $2 OR $3>=$RECSIZE BREAK ENDIF ENDWHILE LABEL:1 FLUSHEND $FILERECOFS:=0x00 $63:=TOGGLE:0,x:1 $10:=0 ;default color IF {0x00,4}!=0x454c4946 $10:=8 ;error color ENDIF IF {0x16,2}&1 $13:=0 ;default color ELSE $13:=10 ;grayed (removed) ENDIF x:5,w:5,c:$10,f:File IF {0x04,2}>=0x30 x:10,w:1,f:# $1:={0x2C,4} $1,x:11,w:10,f:%d ======== ENDIF $1:={0x10,2} $1,x:22,w:8,f:(%h) ======= x:38,w:42,f:================== IF $63 = x:5,w:25,f:magic ("FILE"): {0x00,4},x:32,w:4,c:$10,f:%4c = $10:=0 IF {0x04,2}<0x2A OR {0x04,2}>=$RECSIZE $10:=8 ENDIF x:5,w:25,f:fixups offset: {0x04,2},x:32,w:4,c:$10,f:%4hX x:36,w:1,f:h = $10:=$13 IF {0x06,2}<2 $10:=8 ENDIF x:5,w:25,f:fixups count: {0x06,2},x:32,w:5,f:%4h = x:5,w:23,f:LSNlo: {0x08,4},x:28,w:8,f:%08X x:36,w:1,f:h = x:5,w:23,f:LSNHi: {0x0C,4},x:28,w:8,f:%08X x:36,w:1,f:h = x:5,w:25,f:seq. number: {0x10,2},x:32,w:5,f:%4h = x:5,w:25,f:hlink number: {0x12,2},x:32,w:5,f:%4h = x:5,w:25,f:attrs offset: {0x14,2},x:32,w:4,f:%4hX x:36,w:1,f:h = x:5,w:25,f:flags: {0x16,2},x:32,w:4,f:%4hX x:36,w:1,f:h = x:5,w:23,f:used size: {0x18,4},x:28,w:8,f:%8X x:36,w:1,f:h {0x18,4},x:38,w:10,f:%8d = x:5,w:23,f:record size: {0x1C,4},x:28,w:8,f:%8X x:36,w:1,f:h {0x1C,4},x:38,w:10,f:%8d = x:5,w:23,f:basefileref: {0x20,4},x:28,w:10,f:%8d = x:5,w:25,f:0x24: {0x24,2},x:32,w:4,f:%4hX x:36,w:1,f:h = x:5,w:25,f:basefileref seq.: {0x26,2},x:32,w:5,f:%4h = x:5,w:25,f:next attribute #: {0x28,2},x:32,w:5,f:%4h IF {0x04,2}>=0x30 = x:5,w:25,f:0x2A: {0x2A,2},x:32,w:4,f:%4hX x:36,w:1,f:h = x:5,w:23,f:file #: {0x2C,4},x:28,w:10,f:%8d ENDIF $3:={0x04,2} ;fixup offset IF $3>=0x2A AND $3<$RECSIZE = x:5,w:25,f:fixup: {$3,2},x:32,w:4,f:%04hX x:36,w:1,f:h ENDIF ELSE ;if grayed IF NOT $10 AND $13 $10:=$13 ENDIF x:31,w:1,f:" {0x00,4},x:32,w:4,c:$10,f:%4c x:36,w:1,f:" ENDIF ;Attributes $2:={0x14,2} WHILE 1 = $1:=$2 IF $1<0x2A OR $1>=$RECSIZE x:5,w:30,c:8,f:ERROR Attribute Offset = BREAK ENDIF $OFFSET:=$1 $9:={0x00,4} IF $9!=0xFFFFFFFF $63:=TOGGLE:$1,x:1 ELSE {0x00,4},x:11,w:8,c:10,f:%8X x:19,w:1,f:h x:21,w:8,f:End Mark BREAK ENDIF $ATTROFS:=$1 x:5,w:1,f:# $3:={0x0E,2} $3,x:6,w:5,f:%h IF NOT $63 {0x00,4},x:11,w:8,c:$13,f:%8X x:19,w:1,f:h ENDIF IF NOT $63 AND {0x09,1} ;Attr name $3:={0x0A,2} $4:={0x09,1}<<1 x:21,w:1,f:: {$3,$4},x:22,w:58,c:$13,f:U = ENDIF IF $9=0x10 x:21,w:21,f:$STANDARD_INFORMATION ELSEIF $9=0x20 x:21,w:21,f:$ATTRIBUTE_LIST ELSEIF $9=0x30 x:21,w:21,f:$FILE_NAME ELSEIF $9=0x50 x:21,w:21,f:$SECURITY_DESCRIPTOR ELSEIF $9=0x60 x:21,w:21,f:$VOLUME_NAME ELSEIF $9=0x70 x:21,w:21,f:$VOLUME_INFORMATION ELSEIF $9=0x80 x:21,w:21,f:$DATA ELSEIF $9=0x90 x:21,w:21,f:$INDEX_ROOT ELSEIF $9=0xA0 x:21,w:21,f:$INDEX_ALLOCATION ELSEIF $9=0xB0 x:21,w:21,f:$BITMAP ELSEIF $9=0x100 x:21,w:21,f:$LOGGED_UTILITY_STREAM ELSE ;$9,x:11,w:30,f:Attribute (%Xh) x:21,w:21,f:Other Attribute ENDIF $10:=0 ;color $2:={0x04,4} $5:=$2 ;full attr length IF $2<=0 $10:=8 ;error color ELSE $2:=$1+$2 ;next attribute offset IF $2>$RECSIZE $2:=$RECSIZE $5:=$2-$1 $10:=8 ENDIF ENDIF IF $63 = x:7,w:20,f:Attr. type: {0x00,4},x:34,w:8,f:%8X x:42,w:1,f:h = x:7,w:20,c:$10,f:Attr. length: {0x04,4},x:34,w:8,c:$10,f:%8X x:42,w:1,f:h {0x04,4},x:44,w:10,c:$10,f:%10u = ELSEIF $10 = x:7,w:20,c:$10,f:Attr. length: {0x04,4},x:34,w:8,c:$10,f:%8X x:42,w:1,f:h = ENDIF IF $2<=0 = BREAK ENDIF IF $63 x:7,w:20,f:Non-resident: {0x08,1},x:39,w:3,f:%3h = x:7,w:20,f:Attrname len: {0x09,1},x:39,w:3,f:%3h = x:7,w:20,f:Attrname ofs: {0x0A,2},x:38,w:4,f:%4hX x:42,w:1,f:h = x:7,w:20,f:Flags: {0x0C,2},x:38,w:4,f:%4hX x:42,w:1,f:h {0x0C:0,2},x:45,w:2,f:F:C-+- {0x0C:14,2},x:48,w:2,f:F:E-S- = x:7,w:20,f:Attr. number: {0x0E,2},x:37,w:5,f:%5h = ENDIF IF NOT {0x08,1} ;resident attribute $10:=0 ;color for offset $11:=0 ;color for size $3:={0x14,2} ;data offset $4:={0x10,4} ;data size IF $3>$5 ;$3>full attr length $3:=$5 $4:=0 $10:=8 ENDIF IF $3+$4>$5 $4:=$5-$3 $11:=8 ENDIF IF NOT $63 IF {0x00,4}=0x80 ;$DATA: ;if grayed IF NOT $11 AND $13 $11:=$13 ENDIF {0x10,4},x:32,w:10,c:$11,f:%u = ELSEIF $11 = x:7,w:20,c:$11,f:Data Size: {0x10,4},x:34,w:8,c:$11,f:%8X x:42,w:1,f:h = ENDIF IF $10 = x:7,w:20,c:$10,f:Data Offset: {0x14,2},x:38,w:4,c:$10,f:%4hX x:42,w:1,f:h = ENDIF ELSE x:7,w:20,c:$11,f:Data Size: {0x10,4},x:34,w:8,c:$11,f:%8X x:42,w:1,f:h {0x10,4},x:44,w:10,c:$11,f:%10u = x:7,w:20,c:$10,f:Data Offset: {0x14,2},x:38,w:4,c:$10,f:%4hX x:42,w:1,f:h = $9:={0x09,1}<<1 IF $9 x:7,w:20,f:Attr. name: $8:={0x0A,2} {$8,$9},x:32,w:48,f:U = ENDIF ENDIF IF {0x00,4}=0x10 ;standard information IF NOT $63 $3:=$3+8 $4:=$4-8 {$3,8},x:43,w:23,c:$13,f:FILETIME = ELSE x:14,w:10,f:created: {$3,8},x:32,w:23,f:FILETIME = $3:=$3+8 $4:=$4-8 x:14,w:18,f:modified: {$3,8},x:32,w:23,f:FILETIME = $3:=$3+8 $4:=$4-8 x:14,w:18,f:changed: {$3,8},x:32,w:23,f:FILETIME = $3:=$3+8 $4:=$4-8 x:14,w:18,f:accessed: {$3,8},x:32,w:23,f:FILETIME = $3:=$3+8 $4:=$4-8 x:14,w:18,f:attrs: {$3,2},x:32,w:16,f:F:R-H-S-V-D-A-d-n-t-s-r-c-o-i-e-+- $3:=$3+2 $4:=$4-2 {$3,2},x:49,w:16,f:F:+-+-+-+-+-+-+-+-+-+-+-+-D-I-+-+- = $3:=$3+2 $4:=$4-2 IF $4>=12 x:14,w:18,f:Max versions: {$3,4},x:32,w:10,f:%u = $3:=$3+4 $4:=$4-4 x:14,w:18,f:Version: {$3,4},x:32,w:10,f:%u = $3:=$3+4 $4:=$4-4 x:14,w:18,f:Class Id: {$3,4},x:32,w:10,f:%u = $3:=$3+4 $4:=$4-4 IF $4>=24 x:14,w:18,f:Owner Id: {$3,4},x:32,w:10,f:%u = $3:=$3+4 $4:=$4-4 x:14,w:18,f:Security Id: {$3,4},x:32,w:10,f:%u = $3:=$3+4 $4:=$4-4 x:14,w:18,f:Quota Charged: {$3,8},x:32,w:10,f:%u = $3:=$3+8 $4:=$4-8 x:14,w:18,f:USN: {$3,8},x:32,w:10,f:%u = $3:=$3+8 $4:=$4-8 ENDIF ENDIF ENDIF ELSEIF {0x00,4}=0x20 ;attribute list IF $63 x:1,w:70,f:attr.type len n.len n.ofs vcn MFT (#) attr# name = $8:=$OFFSET $OFFSET:=$OFFSET+$3 WHILE $4>0 IF {0x04,2} $FILENUM:={0x10,4} {0x00,4},x:1,w:8,f:%8X x:9,w:1,f:h ENDIF $9:={0x04,2},x:11,w:5,f:%h IF NOT $9 BREAK ENDIF {0x06,1},x:16,w:3,f:%h $7:={0x07,1},x:21,w:3,f:%3hX x:24,w:1,f:h {0x08,8},x:27,w:18,f:%I {0x10,6},x:45,w:10,f:%I {0x16,2},x:55,w:5,f:%h {0x18,2},x:60,w:5,f:%h IF {0x06,1} $6:={0x06,1}<<1 {$7,$6},x:66,w:14,f:U ENDIF = IF $9>$4 $9:=$4 ENDIF IF NOT $9 BREAK ENDIF $OFFSET:=$OFFSET+$9 $3:=$3+$9 $4:=$4-$9 ENDWHILE $OFFSET:=$8 ENDIF ELSEIF {0x00,4}=0x30 ;file name $FILENUM:=...
expert65