|
$SDS 数据流
|
Offset
|
Size
|
Description
|
|
0x00
|
4
|
Hash of Security Descriptor
|
|
0x04
|
4
|
Security Id
|
|
0x08
|
8
|
Offset of this entry in this file
|
|
0x10
|
4
|
Size of this entry
|
|
0x04
|
V
|
Self-relative Security Descriptor
|
|
V+0x04
|
P16
|
Padding
|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x18
|
Offset to data
|
|
|
0x02
|
2
|
0x14
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
0x30
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x08
|
Size of Index Key
|
|
|
0x0C
|
2
|
|
Flags
|
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
|
0x10
|
4
|
|
Key
|
Hash of Security Descriptor
|
|
0x14
|
4
|
|
Key
|
Security Id
|
|
0x18
|
4
|
|
Data
|
Hash of Security Descriptor
|
|
0x1C
|
4
|
|
Data
|
Security Id
|
|
0x20
|
8
|
|
Data
|
Offset to Security Descriptor (in $SDS)
|
|
0x28
|
4
|
|
Data
|
Size of Security Descriptor (in $SDS)
|
|
0x2C
|
P8
|
|
Data
|
Padding
|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x14
|
Offset to data
|
|
|
0x02
|
2
|
0x14
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
0x28
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x04
|
Size of Index Key
|
|
|
0x0C
|
2
|
|
Flags
|
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
|
0x10
|
4
|
|
Key
|
Security Id
|
|
0x14
|
4
|
|
Data
|
Hash of Security Descriptor
|
|
0x18
|
4
|
|
Data
|
Security Id
|
|
0x1C
|
8
|
|
Data
|
Offset to Security Descriptor (in $SDS)
|
|
0x24
|
4
|
|
Data
|
Size of Security Descriptor (in $SDS)
|
在MFT 文件的属性记录集
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$UpCase
|
|
0x80
|
$DATA
|
[Unnamed]
|
This is a directory containing the Metadata files: $ObjId, $Quota, $Reparse and $UsnJrnl.
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Extend
|
|
0x90
|
$INDEX_ROOT
|
$I30
|
This system file is an index of all the $OBJECT_ID Attributes in use on the volume.
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$ObjId
|
|
0x90
|
$INDEX_ROOT
|
$O
|
|
0xA0
|
$INDEX_ALLOCATION
|
$O
|
|
0xB0
|
$BITMAP
|
$O
|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x20
|
Offset to data
|
|
|
0x02
|
2
|
0x38
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
0x58
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x10
|
Size of Index Key
|
|
|
0x0C
|
2
|
|
Flags
|
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
|
0x10
|
16
|
|
Key
|
GUID Object Id
|
|
0x20
|
8
|
|
Data
|
MFT Reference
|
|
0x28
|
16
|
|
Data
|
GUID Birth Volume Id
|
|
0x38
|
16
|
|
Data
|
GUID Birth Object Id
|
|
0x48
|
16
|
|
Data
|
GUID Domain Id
|
Flags
|
Flag
|
Description
|
|
0x01
|
Entry has subnodes
|
|
0x02
|
Last Entry
|
|
Type
|
Description
|
Name
|
|
0x10
|
$STANDARD_INFORMATION
|
|
|
0x30
|
$FILE_NAME
|
$Quota
|
|
0x90
|
$INDEX_ROOT
|
$O
|
|
0x90
|
$INDEX_ROOT
|
$Q
|
|
0xA0
|
$INDEX_ALLOCATION
|
$O
|
|
0xA0
|
$INDEX_ALLOCATION
|
$Q
|
|
0xB0
|
$BITMAP
|
$O
|
|
0xB0
|
$BITMAP
|
$Q
|
|
Offset
|
Size
|
Value
|
Description
|
|
|
~
|
~
|
~
|
Standard Index Header
|
|
|
0x00
|
2
|
0x1C
|
Offset to data
|
|
|
0x02
|
2
|
0x04
|
Size of data
|
|
|
0x04
|
4
|
0x00
|
Padding
|
|
|
0x08
|
2
|
0x20
|
Size of Index Entry
|
|
|
0x0A
|
2
|
0x0C
|
Size of Index Key (K)
|
|
|
0x0C
|
2
|
|
Flags
|
|
|
0x0E
|
2
|
0x00
|
Padding
|
|
|
0x10
|
K
|
|
Key
|
SID
|
|
K+0x10
|
4
|
|
Data
|
Owner Id
|
|
K+0x14
|
P
|
|
Data
|
Padding8
|
|
