NTFS 90文件属性
作者:互联网
这是我本地U盘,获取到一个文件目录的90属性
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123
2F61099A0 90 00 00 00 B8 00 00 00 00 04 18 00 00 00 01 00 ................
2F61099B0 98 00 00 00 20 00 00 00 24 00 49 00 33 00 30 00 .... ...$.I.3.0.
2F61099C0 30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00 0...............
2F61099D0 10 00 00 00 88 00 00 00 88 00 00 00 00 00 00 00 ................
2F61099E0 27 00 00 00 00 00 01 00 68 00 54 00 00 00 00 00 '.......h.T.....
2F61099F0 26 00 00 00 00 00 01 00 5B AE 88 D6 EE D6 04 00 &.......[.......
2F6109A00 C5 F9 BC 2E E6 C0 D7 01 C5 F9 BC 2E E6 C0 D7 01 ................
2F6109A10 5B AE 88 D6 EE D6 D7 01 18 00 00 00 00 00 00 00 [...............
2F6109A20 18 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ .......
2F6109A30 09 03 74 00 65 00 73 00 74 00 32 00 2E 00 74 00 ..t.e.s.t.2...t.
2F6109A40 78 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 x.t.............
2F6109A50 10 00 00 00 02 00 00 00
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456
00 90 00 00 00 B8 00 00 00 00 04 18 00 00 00 01 00 ................
10 98 00 00 00 20 00 00 00 24 00 49 00 33 00 30 00 .... ...$.I.3.0.
20 30 00 00 00 01 00 00 00 00 10 00 00 01 00 00 00 0...............
30 10 00 00 00 88 00 00 00 88 00 00 00 00 00 00 00 ................
偏移 大小 意义
0X00 4 属性号 90 00 00 00
0X04 4 属性长度 B8 00 00 00
0X08 1 常驻标志 00
0X09 1 名称长度 04
0X0A 2 名称偏移 18 00
0X0C 2 标志(常驻属性不能压缩) 00 00
0X0E 2 属性ID 01 00
0X10 4 属性长度(不含头) 98 00 00 00
0X14 2 属性偏移 20 00 00 00
0X16 1 索引标志 00
0X17 1 填充 00
0X18 8 属性名 24 00 49 00 33 00 30 00
0X20 4 索引属性类型 30 00 00 00
0X24 4 排序规则 01 00 00 00
0X28 4 索引项分配大小 00 10 00 00
0X2C 1 每索引记录的簇数 01
0X2D 3 填充 00 00 00
0X30 4 每索引的偏移 10 00 00 00
0X34 4 索引项的总大小 88 00 00 00
0X38 4 索引项的分配 88 00 00 00
0X3C 1 标志,(0X01大索引) 00
0X3C 3 填充 00 00 00
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00 27 00 00 00 00 00 01 00 68 00 54 00 00 00 00 00 '.......h.T.....
10 26 00 00 00 00 00 01 00 5B AE 88 D6 EE D6 04 00 &.......[.......
20 C5 F9 BC 2E E6 C0 D7 01 C5 F9 BC 2E E6 C0 D7 01 ................
30 5B AE 88 D6 EE D6 D7 01 18 00 00 00 00 00 00 00 [...............
40 18 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ .......
50 09 03 74 00 65 00 73 00 74 00 32 00 2E 00 74 00 ..t.e.s.t.2...t.
60 78 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 x.t.............
70 10 00 00 00 02 00 00 00
表11 索引根属性中索引头部分结构
偏移 大小 意义
0X00 8 文件的MFT记录号 27 00 00 00 00 00 01 00
0X08 2 索引项大小 68 00
0X0A 2 名称偏移 54 00
0X0C 4 索引标志+填充 00 00 00 00
0X10 8 父目录的MFT文件参考号 26 00 00 00 00 00 01 00
0X18 8 文件创建时间 5B AE 88 D6 EE D6 04 00
0X20 8 文件修改时间 C5 F9 BC 2E E6 C0 D7 01
0X28 8 文件最后修改时间 C5 F9 BC 2E E6 C0 D7 01
0X30 8 文件最后访问时间 5B AE 88 D6 EE D6 D7 01
0X38 8 文件分配大小 18 00 00 00 00 00 00 00
0X40 8 文件实际大小 18 00 00 00 00 00 00 00
0X48 8 文件标志 20 00 00 00 00 00 00 00 文件还是文件夹
0X50 1 文件名长度(F) 09
0X51 1 文件名命名空间 03
0X52 2F 文件名(填充到8字节)
0X52+2F P
0X52 +P+2F 8 子节点索引缓存的VCL
表12 索引项结构
索引根属性就是由索引头和这
最终分析到的就是文件名称是:test2.txt
标签:10,00,NTFS,文件属性,索引,88,01,D6,90 来源: https://blog.csdn.net/r77683962/article/details/121316001