Readin the $MFT

EDN Admin · Mar 28, 2012

Im into being able to read the NTFS MFT. Theres a routine, originally written by StcroixSkipper in C# which I have translated into VB. Each MFT record provides two FIDs (File IDs), one for the file in question and one for its directory in the MFT
of course. The routine that is supplying a directory spec is failing miserably returnin nothing and looks like this:
<img alt="" src="http://social.msdn.microsoft.com/Forums/getfile/85403
The code that is failing looks like this:

<p style="line-height:normal; margin-bottom:0pt <span style="font-family:Consolas; color:blue; font-size:9.5pt Private<span style="font-family:Consolas; font-size:9.5pt
<span style="color:blue Function PathFromFrn(<span style="color:blue ByVal Id
<span style="color:blue As <span style="color:blue Long) <span style="color:blue
As <span style="color:blue String


<span style="color:blue Dim FileName 
<span style="color:blue Dim UnicodeString 
<span style="color:blue Dim ObjAttributes 
<span style="color:blue Dim IoStatusBlock 
<span style="color:blue Dim hFile 
<span style="color:blue Dim Buffer <span style="color:blue As
<span style="color:#2b91af IntPtr = 
<span style="color:blue Dim Refptr <span style="color:blue As
<span style="color:#2b91af IntPtr = 
<span style="color:blue Dim ObjAtt <span style="color:blue As
<span style="color:#2b91af IntPtr = <span style="color:#2b91af Marshal.AllocHGlobal(<span style="color:#2b91af Marshal.SizeOf(ObjAttributes))
<span style="color:green pointer to the unicode string struct

>fileid

<span style="color:#2b91af Marshal.WriteInt64(Refptr, 0, Id)


UnicodeString.Length = 8

UnicodeString.MaximumLength = 8

UnicodeString.Buffer = Refptr


<span style="color:#2b91af Marshal.StructureToPtr(UnicodeString, ObjAtt,
<span style="color:blue True)


ObjAttributes.Length = 
ObjAttributes.ObjectName = ObjAtt

ObjAttributes.RootDirectory = m_hCJ

ObjAttributes.Attributes = OBJ_CASE_INSENSITIVE

fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _

FILE_SHARE_READ 
FILE_OPEN, FILE_OPEN_BY_FILE_ID <span style="color:blue Or FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)

 INVALID_HANDLE_VALUE <span style="color:blue
Then

fOk = NtQueryInformationFile(hFile, IoStatusBlock, Buffer, 4096, FileNameInformationClass)

 <span style="color:blue If fOk = 0
<span style="color:blue Then


<span style="color:blue Dim FileLength <span style="color:blue As


FileName = <span style="color:#2b91af Marshal.PtrToStringUni(<span style="color:blue New
<span style="color:#2b91af IntPtr(Buffer.ToInt32() + 4), FileLength / 2)

<span style="color:blue End <span style="color:blue If



CloseHandle(hFile)



<span style="color:#2b91af Marshal.FreeHGlobal(Refptr)
<p style="line-height:normal; margin-bottom:0pt <span style="font-family:Consolas; font-size:9.5pt


<span style="color:blue End <span style="color:blue Function

I realize that it will be luck to catch this. I hope someone here can help me.
Renee <hr class="sig "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

View the full article

Readin the $MFT

EDN Admin

Well-known member

Similar threads