返回首页

这是代码,发现MFTOffset和其他信息。

 60;

 uint nread = 0;

            IntPtr handle;

            byte[] buff = new byte[1024];

            string driveRoot = string.Concat("\\\\.\\", driveLetter);

            IntPtr hRoot = CreateFile(driveRoot,

                GENERIC_READ | GENERIC_WRITE,

                FILE_SHARE_READ | FILE_SHARE_WRITE,

                IntPtr.Zero,

                OPEN_EXISTING,

                FILE_ATTRIBUTE_NORMAL,

                IntPtr.Zero);

            if (hRoot != IntPtr.Zero)

                 ReadFile(hRoot, buff, 1024,out nread, IntPtr.Zero);

            string SystemFile = Convert.ToString(LittleEndian(4, new byte[] { buff[3], buff[4], buff[5], buff[6] }, typeof(string)));

            int BytePerSector = 0;

            int SectorPerCluster = 0;

            double MFTStart = 0;

            if (SystemFile == "NTFS")

            {

                listBox1.Items.Add(SystemFile);

 

                BytePerSector = (int)LittleEndian(2, new byte[] { buff[11], buff[12] }, BytePerSector.GetType());

                listBox1.Items.Add("Byte per Sector : " + BytePerSector);

 

                SectorPerCluster = (int)LittleEndian(1, new byte[] { buff[13] }, typeof(int));

                listBox1.Items.Add("Sector per Cluster : " + SectorPerCluster.ToString());

 

                MFTStart = (long)LittleEndian(8, new byte[]{

                    buff[48],buff[49],buff[50],buff[51],buff[52],buff[53],buff[54],buff[55]}, typeof(long));

                listBox1.Items.Add("MFT LCN : " + MFTStart);

 

            }

            else

                listBox1.Items.Add("No NTFS Valoume");
我想读MFT.I发现其偏移用的CreateFile API partition.i了分区的句柄,然后我得到的MFT抵消ReadFile的API.i从MBR与WINHEX和结果的结果是我想correct.now移动MFT分区地址。我发现SetFilePointer API做我it.couldü发送正确的代码,移动MFT的偏移?
我用SetFilePointer,但我得到了错误,而使用ReadFile的(newAddress)

{C}:赛义德的khataeyan

回答