A few days ago, I saw an old article about NTFS data streams, and I wrote a small software named data stream in the file, and now post the source code.
The following is program code:
// ntfs.cpp: defines the entry point for the console application.//
// 1.0.0.0: First Version.// 1.0.0.1: All Error info output to stderr.char * Version_info = "1.0.0.1";
/ / # include "stdafx.h" #include
Void PrintUsage () {Printf ("Usage: nsinfo [-q] [- p] [- D] file / N / -Q: query streams / n / -p: print stream / n / -d: delete stream / n / -V: VERSION INFO / N "[IMG] /images/wink.gif [/ img];
Void querystreamInfo (_tchar * pszfilepath) {Win32_Stream_ID WSID; ZeromeMory (& WSID, SIZEOF (Win32_Stream_ID));
Handle Hfile = Createfile (pszfilepath / * "i: //stream.txt" * /, generic_read, 0, null, open_existing, 0, 0);
IF (hfile == invalid_handle_value) {fprintf (stderr, "cound not open file% s. / n", pszfilepath; Return;}
DWORD DWSTREAMHEADERSIZE = (DWORD) ((lpbyte) & wsid.cstreamName - (lpbyte) & wsid wsid.dwstreamNameSize;
LPBYTE LPCONTEXT = NULL; DWORD dwread = 0; uint uncounter = 0; BOOL BCONTINUE = True;
while (bContinue) {bContinue = BackupRead (hfile, (LPBYTE) & wsid, dwStreamHeaderSize, & dwRead, FALSE, FALSE, (LPVOID *) & lpContext); if (bContinue!) {break;} WCHAR szStreamname [MAX_PATH] = L "/ 0 "; bContinue = BackupRead (hfile, (LPBYTE) szStreamname, wsid.dwStreamNameSize, & dwRead, FALSE, FALSE, (LPVOID *) & lpContext); if {break;} (bContinue || dwRead == 0!) wprintf (L"% s / n ", szStreamname); unCounter ; DWORD dw1, dw2; bContinue = BackupSeek (hfile, wsid.Size.LowPart, wsid.Size.HighPart, & dw1, & dw2, (LPVOID *) & lpContext);} if (unCounter == 1) {Printf ("" TheRe IS Only% D named streams in% s. / N ", uncounter, pszfilepath);} else {printf (" there ", uncounter, pszfilepath);}}
Void ReadStreamInfo (_tchar * pszfilepath) {handle hfile = createfile (pszfilepath / * "i: //stream.txt" * /, generic_read, 0, null, open_existing, 0, 0);
IF (hfile == invalid_handle_value) {FPRINTF (stderr, "Cound Not open file% s. / n", pszfilepath; return;} DWORD dwreaded = 1; Bool Breault = true; while (Breault && dwreaded! = 0) { Byte Szbuffer [512] = "/ 0"; Breault = Readfile (HFile, Szbuffer, 510, & dwreaded, null); Printf ("% s", szbuffer;}} int _tmain (int Argc, _tchar * argv []) {_Tchar * pszfilepath = null; bool bdletestream = false; bool bquerystream = false; Bool Breadstream = false; // do with the params if (argc == 1) {printusage ();} if (argc == 2) // DEFAULT Enable Query Option. {BQueryStream = True;
For (int i = 1; i IF (bquerystream) {querystreamInfo (pszfilepath); IF (BreadStream) {ReadStreamInfo (PSZFILEPATH);} Return 0;
