Hi Amrat,
Also I know ntfsVolData.MftStartLcn (0xC00000) and MFTRecordNumber (say
$191102), now based on this could I calculate something like below for
getting the logical offset(Bytes) of this MFTRecord in $MFT.
LogicalOffset = ntfsVolData.MftStartLcn.
QuadPart * 4096(cluster size) + (MFTRecordNumber * ntfsVolData.
BytesPerFileRecordSegment);
The sample you have provided assumes that MFT is not fragmented. I mean it
assumes MFT Starts @ X and
goes Y clusters continuesly. But the real problem here is, it doesn’t in
real life. So, you need to deal
with 2 or more parts. Here is my pseudo algo for this :
DWORD RequestedIndex = 30450;
UINT64 VirtualOffset = RequestedIndex * BytesPerFileRecord; // This is the
offset if $MFT DATA was continuous.
UINT64 RealDiskOffset = 0;
INT64 CumulativeOffset = 0;
UINT64 CumulativeSize = 0;
while(!NoMoreRuns) { // Run means a block of MFT data
DWORD RunLen = GetRunLen();
INT64 RunLcn = GetRunLcn(); // This needs to be signed because it
is relative to (n-1)th run
CumulativeSize += RunLen * BytesPerCluster;
CumulativeOffset += RunLcn * BytesPerCluster; // This needs to be
signed because it is relative to (n-1)th run
if(VirtualOffset <= CumulativeSize) {
// Here is our requested index
RealDiskOffset = CumulativeOffset + (VirtualOffset -
(CumulativeSize - RunLen));
break;
}
}
You can have a look some examples at :
*Gary Nebbett - Native Api Reference Appendix E*
http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html
(Look for Runs)
http://code.google.com/p/bingo-file-search/source/browse/trunk/core-test/core/NTFS.cpp?r=46
Emre TINAZTEPE
On Wed, Feb 1, 2012 at 12:48 PM, wrote:
> Hi Emre,
>
> Also Could you give me pointers or give sample code to do what you
> mentioned below?
>
> In order to programatically get to this point :
> 1. Load MFT record FSCTL_GET_NTFS_FILE_RECORD or read size of MftRecord
> structure from the MftStartLcn (they point to same offset)
> 2. FindDataAttribute of $MFT file
> 3. Get run array of the file (LCN & Length)
> {Amart: I want to find out LBA or Physical sector or perticular MFT entry
> in $MFT}
>
> Thanks in advance.
>
> Cheers,
> Amrat
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>