这是代码,发现MFTOffset和其他信息。
60;
我想读MFT.I发现其偏移用的CreateFile API partition.i了分区的句柄,然后我得到的MFT抵消ReadFile的API.i从MBR与WINHEX和结果的结果是我想correct.now移动MFT分区地址。我发现SetFilePointer API做我it.couldü发送正确的代码,移动MFT的偏移? uint nread = 0;
IntPtr handle;
byte[] buff = new byte[1024];
string driveRoot = string.Concat("\\\\.\\", driveLetter);
IntPtr hRoot = CreateFile(driveRoot,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
IntPtr.Zero,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
IntPtr.Zero);
if (hRoot != IntPtr.Zero)
ReadFile(hRoot, buff, 1024,out nread, IntPtr.Zero);
string SystemFile = Convert.ToString(LittleEndian(4, new byte[] { buff[3], buff[4], buff[5], buff[6] }, typeof(string)));
int BytePerSector = 0;
int SectorPerCluster = 0;
double MFTStart = 0;
if (SystemFile == "NTFS")
{
listBox1.Items.Add(SystemFile);
BytePerSector = (int)LittleEndian(2, new byte[] { buff[11], buff[12] }, BytePerSector.GetType());
listBox1.Items.Add("Byte per Sector : " + BytePerSector);
SectorPerCluster = (int)LittleEndian(1, new byte[] { buff[13] }, typeof(int));
listBox1.Items.Add("Sector per Cluster : " + SectorPerCluster.ToString());
MFTStart = (long)LittleEndian(8, new byte[]{
buff[48],buff[49],buff[50],buff[51],buff[52],buff[53],buff[54],buff[55]}, typeof(long));
listBox1.Items.Add("MFT LCN : " + MFTStart);
}
else
listBox1.Items.Add("No NTFS Valoume");
我用SetFilePointer,但我得到了错误,而使用ReadFile的(newAddress)
{C}:赛义德的khataeyan